Section 1 "Another significant limitation of back-channel logout is that the RP's back-channel logout URI must be reachable from all the OPs used. This means, for instance, that the RP cannot be behind a firewall or NAT when used with public OPs." this confuses me. Is it not automatically true already for any RP supporting OpenID Connect?
Section 2.3 "OPs supporting back-channel logout need to keep track of the set of logged-in RPs" - I have no good idea what this means. I did not think that RPs were logged in. Could it mean "keep track of user logged in sessions at an RP"?