Figure 22illustrates the interactions between a Client, a Server, a Certificate Authority(CA) and an identity provider. The CA is responsible for issuing the Application Instance Certificates. If the Clientor Serverdoes not have online access to the CA, then they shall validate the Application Instance Certificatesusing the CA public key that the administrator shall install on the local machine.
The identity provider may be a central database that can verify that user token provided by the Client. This identity provider may also tell the Serverwhich access rights the user has. The identity provider depends on the user identity token. It could be a Certificate Authority, an Authorization Serviceor a proprietary database of some sort.
The Clientand Servershall prove possession of their Application Instance Certificatesby signing the Certificateswith a nonce appended. The exact mechanism used to create the proof of possession signatures is described in 5.6.2. Similarly, the Clientshall prove possession by either providing a secret like a password in the user identity token or by creating a signature with the secret associated with a user identity token like x.509 v3.