Safe merge of client_metadata and trust chain final metadata

[peppelinux]

Discussion in OpenID4VP here: https://github.com/openid/OpenID4VP/pull/233/files#r1744565264

there might be cases where the Credential Verifier uses ephemeral metadata parameters, such as jwks for encryption, within the client_metadata parameter used in the request. For this reason the client_metadata parameter has sense to be kept and therefore must be handled safely

[TomCJones]

what's the question?

[jogu]

FWIW https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-5.1 currently says:

Authoritative data the Wallet is able to obtain about the Client from other sources, for example those from an OpenID Federation Entity Statement, take precedence over the values passed in client_metadata.

I think further clarification is needed somewhere about behaviour here. But my assumption is that the verifier would not publish an encryption key in its jwks published via Federation, and hence it would be compliant with the above spec to take an encryption key from client_metadata instead (as the Verifier wouldn't have an authoritative encryption key).