I’ve implemented this: my
ticket_endpoint will accept a (currently optional)
iss parameter. If that’s included, the endpoint will check that the issuer URL advertises
indieauth-metadata endpoint and is valid as described in the spec.
I think I like this solution to the privacy concern. It also avoids the overhead of advertising endpoints on multiple resource URLs. So I lean towards requiring the
iss when sending a ticket. However, I’m not sure how many implementations might send an issuer URL that does not advertise the metadata endpoint.