we need to be cognizant that, in json, attributes themselves can be signed. So the json element can be a fully formed jose structure. What this means is that there can be externally sourced attributes that carry their own assurances and do not need to be processed by any implementation that does not need the data contained. This feature will be included in identity standards now in development.

This does not need to be articulated in the current draft as the standards are not complete, but it would not be good to prevent it.

I fully agree that singers (issuers) need to be responsible for the data that they sign that is not signed by others.

Be the change you want to see in the world ..tom