Currently as per the specification for SIOP today the
sub field of the id token returned in a SIOP response requires it to be the JWK thumbprint of the
sub_jwk value that must also be present in the response. This relationship therefore prevents cryptographic good practise by eliminating the ability to perform key rotation of the
sub_jwk value without creating another
sub value (hence a new identity to relying parties). This point is summarized in the presentation I did at SIOP meetup 2 in slides 8-to-12 of this presentation.
Essentially the suggested resolution (captured on slide 10) is that there needs to be a breaking change around this statement for SIOP that redefines this to allow for key rotation.