The Issuer knows the Origin's secret (Issuer Origin Secret) and policy about client access, and learns the Origin's identity (Origin Name) and the number of previous tokens issued to the Client (as communicated by the Attester) during issuance.
However, in the protocol it seem the attester is sending this value to the issuer. Instead, the issuer is using a “Sec-Token-Limit”` item structured header to and "contains the number of times a Client can retrieve a token for the requested Origin".
From this inconsistency, the following is unclear:
Does the issuer learn (or should he?) learn the number of previous tokens issued to the client?
Why is the “Sec-Token-Limit” set for every response from the issuer to the attester? How does the attester verify that this value cannot be arbitrarily set by the issuer at every request even if it is for the same origin?
Section 1.2 says (emphasis is mine)
However, in the protocol it seem the attester is sending this value to the issuer. Instead, the issuer is using a “Sec-Token-Limit”` item structured header to and "contains the number of times a Client can retrieve a token for the requested Origin".
From this inconsistency, the following is unclear: