docs: ISO/IEC 18013-5 mdoc implementation plan + EU Age Verification profile compliance plan

[DibranMulder]

Adds two planning documents:

docs/mdoc-implementation-plan.md — the implementation plan for landing the mso_mdoc credential format in irmago, covering issuance to the wallet via OpenID4VCI and disclosure via OpenID4VP (DCQL). It covers the current state of the openid4vci branch, scope and non-goals, key design decisions (CBOR/COSE dependencies, new eudi/credentials/mdoc/ package, device key reuse, the DcqlCredentialQueryHandler interface extension, SessionTranscript handover construction), and independently mergeable, automatically tested milestones, using multipaz as the reference implementation.

docs/av-profile-compliance-plan.md — a cross-check of the mdoc plan against the EU Age Verification technical specification and its Annex A AV profile, plus a delivery plan for making go-passport-issuer an AV-compliant Attestation Provider issuing eu.europa.ec.av.1 proof-of-age mdocs over OpenID4VCI. Key findings: the mdoc plan is largely AV-compatible as-is; the main gaps are the W3C Digital Credentials API presentation path (ISO 18013-7 Annex C, HPKE-encrypted responses — the AV profile's primary channel, added as milestone M8), support for unsigned OpenID4VP requests with the redirect_uri client-id scheme, MSO timestamp-precision truncation, and ETSI TS 119 612 trusted-list support.

Tracking issues

The plans have been converted to issues — one tracking issue with the milestones as sub-issues:

• ISO/IEC 18013-5 mdoc support (mso_mdoc) + EU Age Verification profile compliance #562 — ISO/IEC 18013-5 mdoc support + EU AV profile compliance (tracking issue)
  • irmago milestones:
    • mdoc M1: CBOR/COSE foundation #563 — M1: CBOR/COSE foundation
    • mdoc M2: data model — parsing and verification #564 — M2: data model — parsing and verification
    • mdoc M3: building — issuer and device sides #565 — M3: building — issuer and device sides
    • mdoc M4: wallet storage and client surface #566 — M4: wallet storage and client surface
    • mdoc M5: OpenID4VCI issuance of mso_mdoc #567 — M5: OpenID4VCI issuance of mso_mdoc
    • mdoc M6: OpenID4VP disclosure of mso_mdoc #568 — M6: OpenID4VP disclosure of mso_mdoc
    • mdoc M7: hardening, conformance, docs #569 — M7: hardening, conformance, docs
    • mdoc M8: Digital Credentials API presentation (ISO/IEC 18013-7 Annex C) #572 — M8: Digital Credentials API presentation (ISO 18013-7 Annex C)
  • EU AV profile / go-passport-issuer phases (sub-issues of ISO/IEC 18013-5 mdoc support (mso_mdoc) + EU Age Verification profile compliance #562 in privacybydesign/go-passport-issuer):
    • go-passport-issuer#115 — AV P1: proof_of_age mdoc minting
    • go-passport-issuer#116 — AV P2: OpenID4VCI issuer core
    • go-passport-issuer#117 — AV P3: wire OpenID4VCI issuance into the document-validation flow
    • go-passport-issuer#118 — AV P4: authorization code flow
    • go-passport-issuer#119 — AV P5: AV trust & operational compliance
    • go-passport-issuer#120 — AV P6: AV reference implementation interop & conformance

The AV-profile deltas have been appended to the affected milestone issues as "EU AV profile addendum" sections.