Define expected response if claims and claim_sets is omitted in DCQL

[awoie]

Both, claims and claim_sets are OPTIONAL. It is unclear what claims the response should have to satisfy the request. Options are "all" or "no" claims at all.

[martijnharing]

Section 6.3.1 says:

"The following rules apply for selecting claims via claims and claim_sets:
If claims is absent, the Verifier requests all claims existing in the Credential."

So I'd say currently you would have to return everything.
But I think this is probably a bad idea to have as an option. It makes it easier for the RP to just go for the 'simplest' option and request everything, which is bad in a number of ways:

• You will very likely over ask
• It will get data that it's unlikely to parse, since if you don't know how to request a data element, you are unlikely to be able to parse it meaningfully.
• The user will likely see this as "the RP requested x, y and z" even though the RP didn't explicitly ask for it and may not even be aware that is effectively asking for more elements than it though (e.g. if additional elements are present).
• Doesn't work well with credential selection, since every credential of the correct type will always match the request, even if it doesn't in reality.

I'd propose to make the presence of claims mandatory