I have some questions on key handling.
1)
If one uses JWK to publish keys it is not possible to specify the lifetime of a key.
Potentially therefor a client could do one provider configuration discovery and then cache and reuse the result forever.
2)
When a client for some reason want to change it's keys it can do a client registration client_update request.
Regarding keys is such an update to be regarded as a replace or an update ?
Let's assume that a client issued a client_associate request with information about one key and then later a client_update request again with one key.
What if in the original request a X509_url was given, pointing to a RSA key and in the update only a jwk_url was provided again about a RSA key.
Should the old key be replace by the new ?
What if the original key was a RSA key and the one in the update was an EC key ?
Again replace ?
Basically are we dealing with update or replace ??
-- Roland