Content of signed_metadata vs REQUIRED fields in unsigned metadata

[jtalir]

It is written in signed_metadata description that "If the Credential Issuer wants to enforce use of signed metadata, it omits the respective metadata parameters from the unsigned part of the Credential Issuer metadata". However, there are 3 attributes marked as REQUIRED in unsigned part (credential_issuer, credential_endpoint and credential_configurations_supported) so it is not possible to omit them without potentially breaking some metadata validators.

Maybe solution would be to clarify that these 3 attributes are "REQUIRED if signed_metadata attribute is not present"?

[jtalir]

I believe that with relation to #448, if singed_metadata is primary feature for issuer authentication, it should be also clear how to implement it from the beginning. Is it expected that signed_metadata can be the only attribute in metadata json? Would it break something? Or is it a MUST that at least credential_issuer must be present both in signed_metadata and also at top level?