Some further thoughts:

- Do all issuers need to support both to work with all verifiers?
- Is there a security risk if we trust issuers based on the iss string
and someone gets the domain associated and provides metadata while the
issued credentials used X509?

Sincerely,
Watson

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to