Authenticate RP to Old OP during porting

draft-account-porting-01 assumes an encrypted port_token is basically a bearer token allowing the RP to call the Old OP to complete the porting flow without further authentication.

The Old OP is effectively leveraging the authentication of the RP by the New OP. This is awkward when the Old OP and New OP don't identify RPs in exactly the same way. Old & New OPs will have separate client_ids for a given RP so that doesn't help. Old & New OPs should both understand the same sector_id for an RP. However, sector_ids might not be properly implemented everywhere. In particular, an OP that issues public subject ids doesn't uses sector_ids.

See email thread.