708 better guidance how the verifier matches the incoming direct post request with the user session

1.0/openid-4-verifiable-presentations-1_0.md

@@ -367,7 +367,7 @@ The following additional considerations are given for pre-existing Authorization
 : REQUIRED. Defined in [@!RFC6749]. This specification defines additional requirements to enable the use of Client Identifier Prefixes as described in (#client_metadata_management). The Client Identifier can be created by parties other than the Wallet and it is considered unique within the context of the Wallet when used in combination with the Client Identifier Prefix.
 
 `state`:
-: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is OPTIONAL. `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde).
+: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is RECOMMENDED, see (#security_considerations_direct_post). `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde).
 
 ## Requesting Presentations without Holder Binding Proofs {#nkb-credentials}
 
@@ -3566,9 +3566,10 @@ The technology described in this specification was made available from contribut
 
 -31
 
+   * Clarify that state is recommended to match text from Section 14.3.2. Protection of the Response URI
    * Clarify that `encrypted_response_enc_values_supported` applies only if JWE content encryption algorithm is used
    * Clarify that `aud` corresponds to `issuer` Wallet Metadata paremeter if Dynamic Discovery is used 
 
 -final
 
-   * https://openid.net/specs/openid-4-verifiable-presentations-1_0-final.html
+   * https://openid.net/specs/openid-4-verifiable-presentations-1_0-final.html

1.1/openid-4-verifiable-presentations-1_1.md

@@ -363,7 +363,7 @@ The following additional considerations are given for pre-existing Authorization
 : REQUIRED. Defined in [@!RFC6749]. This specification defines additional requirements to enable the use of Client Identifier Prefixes as described in (#client_metadata_management). The Client Identifier can be created by parties other than the Wallet and it is considered unique within the context of the Wallet when used in combination with the Client Identifier Prefix.
 
 `state`:
-: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is OPTIONAL. `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde).
+: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is RECOMMENDED, see (#security_considerations_direct_post). `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde).
 
 ## Requesting Presentations without Holder Binding Proofs {#nkb-credentials}
 
@@ -3633,5 +3633,6 @@ The technology described in this specification was made available from contribut
 
    * Add usage of HPKE for the `info` parameter. 
    * Add security consideration not to use VP Token as Access Token
+   * Clarify that state is recommended to match text from Section 14.3.2. Protection of the Response URI
    * Clarify that `encrypted_response_enc_values_supported` applies only if JWE content encryption algorithm is used; e.g., it does not apply to JOSE HPKE
    * Clarify that `aud` corresponds to `issuer` Wallet Metadata paremeter if Dynamic Discovery is used