Clarify connection between status management and credential

[cre8]

The Oauth Status List gives some information of the trust management between the credential issuer and the status manager.

In some situations, someone could use a status management provider, so the entity of the credential issuer and status management is different. Then it is considered to link it via the same certificate authority. But how do I link these two entities together, is it just that they need to be issued via the same CA?

[jogu]

This may just be out of scope? The wallet/verifier need to decide what status management providers they trust, in the same way they need to decide what credential issuers to trust.

I think it some cases it will be sufficient that the token status list is signed by a certificate that has a trusted root certificate (given which token status list is used is listed in the credential I think there's already a reasonable degree of trust in it?)

[Sakurann]

agree with joseph this sounds like out of scope, given that there are possibly multiple reasons why these two providers might be different or same