A possible solution is to lock a subscription to a specific session. The identity of the session is the application Uri.

The idea would be to implement two methods
i) a method to lock a subscription to an application Uri, so that the subscription can only be transferred to a session with the same application Uri

e.g. session.SetSubscriptionLock(uint []subscriptionId)
e.g. session.SetSubscriptionNonTransferable(uint []subscriptionId)
e.g. session.BindSubscriptionToClient(uint []subscriptionId)

ii) a method to look up subscriptions that were created by the application Uri of the active session

session.GetSubscriptions(out uint [] subscriptionIds)

The description would indicate that only subscriptions are returned which are related to the application Uri which owns the session.

The Transfer subscription service should reject to transfer locked subscriptions to other application Uris.

An update of the client application certificate does not affect the identity because the application Uri remains unchanged and the new cert may have to be trusted.

If a server auto accepts untrusted certificates it shall not be allowed to lock subscriptions because of the security risk of app uri tampering.

The client has to be trusted and shall use at least signed communication.

Agreed to add sub-Variable to Subscription diagnostic to hold Client information (from the Session diagnostic) about the session that currently or last "owned" the subscription. This is because the Session diagnostic goes away when the Subscriptions once owned by the Session are still alive in the Server.

Also add methods to the Server Object for Administrators to Close Sessions and Subscriptions owned by others.