from oauth-wg/oauth-transaction-tokens#239 (comment):

I would have had the same feedback for @aaronpk and his OAuth 2.1 coauthors (but really only Aaron b/c AFAICT he's the only one really contributing to 2.1) but admittedly I did miss the RFC6125 cert validation stuff in the nearly 200 pages of RFC9100. Apologies there.

Perhaps just a bit more specific reference (I think/hope this syntax is correct)?

```suggestion
Workloads SHOULD use the https scheme to secure the communication channel and authenticate the Transaction Token Service. When using `https`, TLS certificates MUST be checked according to {{Section 4.3.4 of RFC9110}}. At the time of this writing, TLS version 1.3 {{RFC8446}} is the most recent version.
```

Ignoring that I just noticed again that RFC6125 has been obsoleted by RFC 9525. But maybe pointing at 9110 can enable just continuing to ignore that.

Originally posted by @bc-pi in oauth-wg/oauth-transaction-tokens#239 (comment)