As per CDR specification on client authentication during Data Holder calling ADR (during CDR Arrangement revocation endpoint), JWT with specific claims is required.
Who creates this JWT?
If a Data Holder is creating the JWT then what would be the signing certificate and how will Data Recipients validate it?
As of V1.4.0 of the CDR Register Design the sequence diagram has been updated to outline this process.
The data holder is responsible for creating this JWT which the data recipient then validates the signature. Data recipients authenticate data holders using JWKS specified in data holder brands discovery APIs.