Consistency between did used for Federation Entity `kid`, VC `iss` and VC `kid`

[TimoGlastra]

When combining DIDs with OpenID Federation, we need to define how they integrate, and how you verify the integrity of the DID within the process. The current assumption is:

• The Entity Configuration vc_issuer.jwks[].kid MUST exactly match with the kid header in a VC. If this is a DID url the JWK entry MUST match the key in the did document
• The kid, if a DID is used must be a full DID with key reference.
• If the credential contains an iss (optional with SD-JWT-VC, do we want to require it?) or issuer/issuer.id which is a DID, it MUST match the DID used in the kid

This ensures that a VC issued with the federation profile DOES NOT require understanding of DIDs, and can be fully verified based on the OpenID Federation logic, but you can verify the binding to the DID as well (#93)

[TimoGlastra]

Also discussed, we should add an implementation consideration that if your implementation supports DIDs you SHOULD resolve the DID to ensure the key is still present in the did document. It should also explain how the different keys (in JWKS and DID) should be compared