Hazelnut update (v5.3.0)

• Automatically resolving of node DIDs has been removed, since it caused more confusion than it simplified things.
  It was only meant for workshop/demo purposes and not allowed in strict mode, so the impact should be very limited.
  If you didn't configure a node DID but do want to exchange private credentials,
  you now have to configure it explicitly using network.nodedid.
• The tls.crl.maxvaliditydays config flag has been deprecated. CRLs are now updated more frequently, making this option obsolete.
• Adds support for RFC019 and RFC020, which describe a new EmployeeIdentity authentication means which allows an employer to make claims
  about the identity of their employees. This has a lower level of assurance, but can be used when care organisations trust each others employee enrollment process.
• Fixed issue where VDR could no longer update broken DID Documents.
• Added API calls to Didman to update endpoints and compound services (previously, they had to be deleted and then recreated to change them).
• NutsAuthorizationCredentials and NutsOrganizationCredentials now require a valid credentialSubject.id (meaning it is a DID).

What's Changed

• Bump github.com/goodsign/monday from 1.0.0 to 1.0.1 by @dependabot in #1992
• Network: adjusted 'node DID not set' log when strict mode is not set to WARN by @reinkrul in #1990
• Bump google.golang.org/protobuf from 1.29.1 to 1.30.0 by @dependabot in #1991
• DIDman: Strict API interfaces by @reinkrul in #1958
• VDR: Strict OpenAPI interfaces by @reinkrul in #1807
• Docs: describe security model by @reinkrul in #1887
• CRL: update deprecated logic by @gerardsn in #1989
• Auth: only connect to HTTPS endpoints when in strict mode by @reinkrul in #1922
• fix finding issued credentials by @woutslakhorst in #1994
• update diagnostics with owned did conflicts by @woutslakhorst in #1997
• Fix non-visible commands in documentation by @beardedfoo in #1998
• Bump google.golang.org/grpc from 1.53.0 to 1.54.0 by @dependabot in #2001
• Bump github.com/privacybydesign/irmago from 0.12.1 to 0.12.2 by @dependabot in #2000
• Auth: fix failing test by @gerardsn in #1999
• Bump github.com/nuts-foundation/go-stoabs from 1.6.0 to 1.7.0 by @dependabot in #2003
• Network: move outbound_connectors to separate diagnostics page by @reinkrul in #1966
• fix correct loading order of data in issuer store by @woutslakhorst in #1995
• refactor tls.Config creation on grpc connection manager by @woutslakhorst in #2004
• Crypto: storage funcs now pass context by @reinkrul in #1996
• VCR: Strict API interfaces by @gerardsn in #1967
• Bump github.com/nats-io/nats.go from 1.24.0 to 1.25.0 by @dependabot in #2006
• x509: show offending URL in CRL validator sync errors by @reinkrul in #2008
• Core: originate errors from modules in system lifecycle by @reinkrul in #2007
• Bump alpine from 3.17.2 to 3.17.3 by @dependabot in #2014
• JWM support in NUTS, part 2. The (de/en)crypt_jwe methods by @rolandgroen in #1912
• Network: Remove NodeDIDResolver by @gerardsn in #2016
• Auth: make Access Token duration configurable by @gerardsn in #2017
• Upgrade to Go 1.20 by @gerardsn in #2019
• Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 by @dependabot in #2020
• Bump go-stoabs to v1.8.1 and go-redis to v9.0.3 by @gerardsn in #2021
• Bump golang from 1.20.2-alpine to 1.20.3-alpine by @dependabot in #2023
• use transport.Peer in conversation instead of PeerID by @woutslakhorst in #2024
• Bump golang.org/x/crypto from 0.7.0 to 0.8.0 by @dependabot in #2027
• CRL: replace validator by @gerardsn in #2011
• Bump github.com/twmb/murmur3 from 1.1.6 to 1.1.7 by @dependabot in #2043
• Network: nodeDID is not a pointer by @gerardsn in #2055
• Network: grpcConnectionManager construction can return errors to prevent panics by @gerardsn in #2046
• Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 by @dependabot in #2057
• Core: validate truststore on load by @gerardsn in #2028
• Auth: make uzi crl validator cancellable by @gerardsn in #2029
• Update JSON-LD for new authentication means by @woutslakhorst in #2048
• Bump github.com/nats-io/nats-server/v2 from 2.9.15 to 2.9.16 by @dependabot in #2064
• Bump github.com/alicebob/miniredis/v2 from 2.30.1 to 2.30.2 by @dependabot in #2068
• Docs: fix typo in configuration.rst by @gerardsn in #2072
• Fix incorrect URL in v5.2.0 release notes by @reinkrul in #2070
• Start signing session for EmployeeIdentity by @woutslakhorst in #2062
• Bump github.com/hashicorp/vault/api from 1.9.0 to 1.9.1 by @dependabot in #2073
• Extend VerifiablePresentations build options by @woutslakhorst in #2074
• Network: remove autoresolver for node DID by @reinkrul in #2067
• Auth: fix build for selfsigned holder VP by @reinkrul in #2080
• Bump github.com/nuts-foundation/go-did from 0.4.0 to 0.5.1 by @dependabot in #2077
• Bump github.com/avast/retry-go/v4 from 4.3.3 to 4.3.4 by @dependabot in #2078
• Release notes: set v5.2.0 release date by @reinkrul in #2083
• EmployeeIdentity signing means validation by @woutslakhorst in #2075
• Docs: encode + in backup/restore for covenience by @reinkrul in #2082
• PKI: Move default certs to central location by @gerardsn in #2095
• Add certificate blacklist implementation by @beardedfoo in #2044
• Bump github.com/prometheus/client_golang from 1.15.0 to 1.15.1 by @dependabot in #2100
• Bump github.com/redis/go-redis/v9 from 9.0.3 to 9.0.4 by @dependabot in #2097
• Bump golang from 1.20.3-alpine to 1.20.4-alpine by @dependabot in #2099
• Docs: move fs2external to server commands by @gerardsn in #2101
• Docs: add selfsigned means to default contract validators by @gerardsn in #2102
• Bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 by @dependabot in #2106
• Bump go.uber.org/atomic from 1.10.0 to 1.11.0 by @dependabot in #2105
• PKI: softfail when crl or denylist is missing or outdated by @gerardsn in #2104
• Feature/2047 add employeeIdentity signing means by @stevenvegt in #2079
• Bump google.golang.org/grpc from 1.54.0 to 1.55.0 by @dependabot in #2109
• VCR: remove duplicate and conflicting constants by @gerardsn in #2107
• Network: add log message when Reprocess has completed by @gerardsn in #2108
• VCR: Distinguish VP/VC not valid at given time errors by @reinkrul in #2103
• Auth: fix API client generation after self-signed implementation by @reinkrul in #2110
• Didman: make organization search more robust by @reinkrul in #2114
• PKI: fix makefile for mock by @gerardsn in #2122
• Network: add NutsComm connect-to-self health check by @gerardsn in #2098
• v5.2.1 release notes by @reinkrul in #2118
• OIDC4VCI by pre-authorisation grant for private credentials by @stevenvegt in #2009
• Bump golang.org/x/crypto from 0.8.0 to 0.9.0 by @dependabot in #2124
• Docs: fix list in Recommended Deployment by @reinkrul in #2128
• Docs: add .readthedocs.yaml to fix failing build by @gerardsn in #2129
• Docs: add gen-readme to gen-docs by @gerardsn in #2130
• Core: use /health endpoint in dockerfile by @gerardsn in #2121
• VCR: Move VCR and OIDC4VCI API packages to subpackage by @reinkrul in #2125
• make sure username claim is present for dummy, irma and selfsigned by @woutslakhorst in #2113
• VCR: Fix Swagger UI (broken after OAS file rename) by @reinkrul in #2146
• Auth: move auth to strict interface by @gerardsn in #2123
• Docs: add nodedid to backup-restore procedure by @gerardsn in #2126
• Didman: added UpdateEndpoint and UpdateCompoundService by @reinkrul in #2147
• add new authentication means to getting started by @woutslakhorst in #2092
• Auth: make roleName optional in self-signed means by @reinkrul in #2148
• removed dead diagnostics code by @woutslakhorst in #2155
• always write index data for VDR, never check on duplicate (#2141) by @woutslakhorst in #2156
• Bump github.com/privacybydesign/irmago from 0.12.2 to 0.12.3 by @dependabot in #2152
• Bump alpine from 3.17.3 to 3.18.0 by @dependabot in #2144
• irma config no longer generates errors by @woutslakhorst in #2162
• Release notes: added parallel update fix for v5.1.0 by @reinkrul in #2081
• update release notes by @woutslakhorst in #2163
• OpenID4VCI: Verify identifiers in resolved metadata by @reinkrul in #2153
• VCR: Use DID library JSON marshaller (revert API behavior to v5.1) by @reinkrul in #2164
• Docs: add new Didman APIs to v5.3.0 release notes by @reinkrul in #2151
• VCR: validate credentialSubject by @reinkrul in #2117
• Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 by @dependabot in #2178
• Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 by @dependabot in #2176
• Bump github.com/nats-io/nats-server/v2 from 2.9.16 to 2.9.17 by @dependabot in #2177
• Bump github.com/privacybydesign/irmago from 0.12.3 to 0.12.4 by @dependabot in #2173
• Auth: add missing selfsigned fields userRole and username to Access token by @reinkrul in #2175
• VCR: Add assuranceLevel to Resource type by @reinkrul in #2179
• make assuranceLevel optional by @woutslakhorst in #2183
• fix make gen-docs by @gerardsn in #2182
• the conversation manager used a timer in its cleanup routine by @woutslakhorst in #2184
• PKI: turn PKI into an engine by @gerardsn in #2158
• added Start() to auth means signers for session cleanup by @woutslakhorst in #2169
• Bump github.com/nats-io/nats.go from 1.25.0 to 1.26.0 by @dependabot in #2186
• change all refs from selfsigned to employeeid by @woutslakhorst in #2180
• fix key resolving when multiple keys exist by @woutslakhorst in #2191
• Bump github.com/privacybydesign/irmago from 0.12.4 to 0.12.5 by @dependabot in #2190
• Dockerfile: partial revert of #2121 by @gerardsn in #2192
• Allow literal \n in trustedsigner by @beardedfoo in #2185
• update release notes for v5.3.0 by @woutslakhorst in #2194
• PKI: add HealthCheckable by @gerardsn in #2195
• backport 5.3: do not check if CA (#2196) by @gerardsn in #2220

Full Changelog: v5.2.0...v5.3.0