Added ‘the key proof contains or refers to at least one Proven Key’ check to the key proof validation steps in section ‘Verifying Proof’.

joelposti · joelposti · commit 2df784c5a77d · 2025-09-10T14:21:20.000+03:00
diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md
@@ -2770,6 +2770,7 @@ To validate a key proof, the Credential Issuer MUST ensure that:
 - the header parameter does not contain a private key,
 - if the server has a Nonce Endpoint, the nonce in the key proof matches the server-provided `c_nonce` value,
 - the creation time of the JWT, as determined by either the issuance time, or a server managed timestamp via the nonce claim, is within an acceptable window (see (#key-proof-replay)).
+- the key proof contains or refers to at least one Proven Key
 
 These checks may be performed in any order.
 
