Michael B. Jones

Internationalization considerations are the most important thing to deal with here, as I see it. In general, whenever you include text strings intended for display for human consumption, the there...

I agree that this should be done.

> @selfissued - The point of this PR is that Key Binding isn't just an optional feature -- it's a feature that causes a security failure if you forget to...

> @selfissued, would removing the `application/sd-jwt-kb' media type from this PR sufficiently alleviate your concern? Or is it more than that? Yes, my objection is to having two media types....

I support defining `cnf` as the way to do holder binding. I'll note that `cnf` is extensible via a registry, so should the existing `cnf` parameters not work for a...

I think that the current encoding design, which had a lot of thought put into it, does a good job balancing many real engineering tradeoffs. It would be unnecessarily disruptive...

> The OpenID Federation does not specify what must be served on dereferencing the Entity Identifier (ClientID) itself; only the Entity Configuration (i.e. self-issued Entity Statement) at /.well-known/openid-federation is required....

Thanks for the useful discussion. I've filed this issue https://bitbucket.org/openid/connect/issues/1716/clarify-that-entity-statement-paths to clarify that Entity Statements are retrieved from a path that concatenates the Entity Identifier with `/.well-known/openid-federation` when using automatic...

We could say that JOSE and COSE objects can be encrypted after being signed. That said, how to obtain the encryption keys is beyond the scope of the specification.

I marked this as post-CR because normative changes to the spec are not being proposed. These clarifications would be nice-to-have, if someone wants to create PRs.