Fix #267, explain why we are not using JSON Path or JSON Pointer

draft-ietf-oauth-sd-jwt-vc.md

@@ -1001,6 +1001,13 @@ selectively disclosable claims were disclosed to a Verifier. That means that a
 consuming application which does not have access to all disclosures may not be
 able to identify the claim which is being addressed.
 
+Note: This specification does intentionally not use JSON Pointer [@RFC6901] for
+selecting claims, as JSON Pointer requires string parsing and does not support
+wildcard selection of array elements. It does not use JSON Path [@?I-D.goessner-dispatch-jsonpath] as
+that introduces a considerable complexity and brings in a lot of features that
+are not needed for the use case of selecting claims in a credential. There are
+also security concerns with some implementations.
+
 ## Claim Display Metadata {#claim-display-metadata}
 
 The `display` property is an array containing display information for the
@@ -1315,6 +1322,7 @@ recommendations in (#robust-retrieval) apply.
     </author>
   </front>
 </reference>
+
 {backmatter}
 
 # IANA Considerations
@@ -1573,6 +1581,7 @@ for their contributions (some of which substantial) to this draft and to the ini
 -09
 
 * Use SD-JWT KB in place of SD-JWT with Key Binding JWT
+* Document reasons for not using JSON Pointer or JSON Path (Issue #267)
 
 -08