Add privacy consideration regarding k-anonymity degradation over time

[msporny]

From @kdenhartog from a post on the CCG mailing list:

A sufficiently large credential set is established per bitstring list, but the expiration period is vastly different per credential. In this scenario, the maximum K-anonymity factor is the number of active indexes in use. So if we start out with an active list of 10,000 then that’s the largest cohort. However, the degradation happens when credentials start revoking. So let’s say 9,999 credentials expire in 30 days, but one last 10 years. Then for the first 30 days, the K-anonymity factor is closer to the max of 10,000 and afterwards it degrades to 1.

We should add some text to the privacy considerations section noting that k-anonymity degrades over time for credentials that have vastly differing expiration periods.

[kdenhartog]

This would also occur for credentials with different status list check needs beyond just expiration. Basically only K-Anonymity is maintained if status checks are relevant to all particular credentials in the same way, otherwise it degrades to the subset that's actually being checked. For example, if only a limited subset of people had a "restricted driver" check based on the age (say for example 14 year olds with school permits) then the verifier would first check age and if they're 14 or 15 would check if they have a valid "restricted driver" status. However, if this status is issued to every driver regardless of age then none of the 16+ drivers would actually be checked. In which case, the K-anonymity degrades to the subset of 14/15 year old drivers even though the status has been issued to all drivers.