Document design characteristics why "StatusList2021Credential" is a VC

[Sakurann]

... because if it is a status of a VC, entities are already expected to support VCs.

One advantage of it being a VC is that StatusList2021Credential can be downloaded by the Holder and sent to the Verifier when Holder is offline. Though if I am an attacker, I will download a version before my VC gets revoked, and keep sending it... so security considerations that a verifier needs to be careful when accepting a StatusList2021Credential offline should be included. Or include a "statusListCredential" URL inside statusList2021Credential so that there is a circular logic?

[dlongley]

The security considerations should indicate at least two things to help verifiers mitigate problems here:

1. Advise verifiers not to accept a status list VC that is outside of its validity period.
2. If the status list VC validity period is "too large" (specify something for this and the rationale), advise verifiers not to accept a status list VC that is "too large"-many minutes after the beginning of the validity period if they did not retrieve it directly from the issuer themselves.

Additionally, advice should be given to issuers to have validity periods no larger than "too large" and to expect that verifiers will follow the above advice.

[msporny]

PR #162 has been raised to partially address this issue by documenting why the status list is expressed in a VC.

[msporny]

PR #162 has been merged, the tasks remaining to resolve this issue are:

• Provide guidance for acceptable VC validity periods, and what to do if the period is too large.