Some further thoughts: - Do all issuers need to support both to work with all verifiers? - Is there a security risk if we trust issuers based on the iss string and someone gets the domain associated and provides metadata while the issued credentials used X509?
Sincerely, Watson _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org