Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth