Establish common identifier between IA and IdA not exposed to CC

Comments from TL regarding for pull request #39

https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-238240866

I feel uncomfortable with the fact this request and respective response are not tight in any way to a subject value previously attested by the IA to the IdA. If, for whatever reason, the IdA mixes up access tokens, it may request and subsequently present the wrong claims (belonging to a different user) to a CC.

I think IA and IdA need to establish a common identifier that is not exposed to a CC.