If the client signs its requests using Automatic Registration with keys published at the location its https Client ID refers to, then that proves that the client is in possession of the corresponding private keys. This can prevent client impersonation.
Please consider updating the Impersonation Attacks section to discuss this possible mitigation.
If the client signs its requests using Automatic Registration with keys published at the location its
httpsClient ID refers to, then that proves that the client is in possession of the corresponding private keys. This can prevent client impersonation.Please consider updating the Impersonation Attacks section to discuss this possible mitigation.