Security: Consider limiting the URLs that are considered valid

[scouten-adobe]

There is currently no stated restriction or guidance on the URIs used for verifiedIdentities[?].uri or verifiedIdentities[?].provider.id as specified in §8.1.2.5, "Verified identities, though we assume that those would be https URIs.

Consider restricting these URIs to https or a known-approved list of URI types.