In SAML, the entityID identifier is used for both IDPs and RPs. But in OpenID Connect, there is no stable identifier for the RP. This has become problematic for verifiable credential presentation. One solution is to enable the client to assert their identity, via an attestation. Oversight? Feature? Either way, it's going to be really helpful! We're going to save a few minutes at the end to talk about a new draft OAuth standard for Status Lists, which is like a more efficient "certificate revocation list" design to revoke JWT tokens. Clients should verify not only the signature, but also the status of the token--just like we check for revocation of X.509 certificates.