Misunderstanding of what AuthorizedNamespaces is

[davidz25]

Section A.2.4. Credential Response says the following

The value of the credential claim in the Credential Response MUST be a string
that is the base64url-encoded representation of the CBOR-encoded IssuerSigned
structure, as defined in [ISO.18013-5]. This structure SHOULD contain all
Namespaces and IssuerSignedItems that are included in the AuthorizedNamespaces
of the MobileSecurityObject.

According to 18013-5 AuthorizedNamespaces is a mechanism for the issuer to convey that DeviceKey is authorized to sign data elements in that name space and to be returned in DeviceSigned. So it doesn't make any sense to say "This structure SHOULD contain all Namespaces and IssuerSignedItems that are included in the AuthorizedNamespaces of the MobileSecurityObject.". (Also, if you look at MSOs being minted today across e.g. US mDL issuers, no-one is actually using DeviceSigned at all to return data elements, as far as I know.)

I also don't think it make sense to specify what the structure SHOULD contain, I mean, it's already completely specified by 18013-5 what it contains. I would just strike the entire last sentence in the quoted paragraph.