signed request for client authentication and proof of posessions of key material
Comments from TL regarding for pull request #39
https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-236569518
signed requests are defined and used for client authentication - it seems you want to use it for proof of possession of the holder’s key material.
How does the OP determine which mode the client wants to use?
How is the client authenticated if the signed request is used for other purposes?
https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-238240292
Defining how client authentication and proof of possession (for holders) works is a fundamental topic for this PR. I would prefer to discuss and solve it here. In my opinion, proof of possession should use a separate, new parameter in order to decouple both aspects and preserve integrity of client authentication and OIDC signed requests. The holder could, for example, sign the nonce value. This would also provide replay protection.