Hello Tom, The client attestation draft does not make any suggestions on the architecture but gives a general purpose mechanism how to authenticate a client in OAuth using an attestation. The primary/first use case for this is public clients for high assurance credentials with OpenID4VCI in eIDAS, focusing on mobile apps and not on web wallets. For this use case we already developed a demonstrator and presented this at last IIW. How the authorisation server trusts the attestation of the client backend(the attestation service) is out of scope of this specification, but will ultimately be solved by prearranged trust relations or trust frameworks with trust lists. Best regards, Paul
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
