Discovery contains this TBD section:
Following items remain to be done in this draft:
• Should issuer be in the Provider Configuration Response?
• Should issuer be explicitly restricted to the https:// scheme?
We should either resolve these issues or track them in Bitbucket, rather than including them in the spec.