The current combinations mean that if a realm claims a credential type is obtainable the realm is also required to be able to validate that credential type.

This leads to a couple of problems: -

• Some types the realm is now forced to verify don't actually make sense, e.g. verify a DigestPassword just because it is obtainable when verifying one does not actually make sense.
• We have no API for comparison of specialised credential types so the realm needs to understand how to compare them.

So instead we need to relax the CredentialSupport options to allow a realm to return a type without actually being able to verify that type.