oidc: rename expected_certificate_subject -> federated_issuer

CHANGELOG.md

@@ -82,6 +82,11 @@ All versions prior to 0.9.0 are untracked.
   have been re-homed under `sigstore.models`
   ([#990](https://github.com/sigstore/sigstore-python/pull/990))
 
+* API: `oidc.IdentityToken.expected_certificate_subject` has been renamed
+  to `oidc.IdentityToken.federated_issuer` to better describe what it actually
+  contains. No functional changes have been made to it
+  ([#1016](https://github.com/sigstore/sigstore-python/pull/1016))
+
 ## [2.1.5]
 
 ## Fixed

sigstore/oidc.py

@@ -205,9 +205,9 @@ def issuer(self) -> str:
         return self._iss
 
     @property
-    def expected_certificate_subject(self) -> str:
+    def federated_issuer(self) -> str:
         """
-        Returns a URL identifying the **expected** subject for any Sigstore
+        Returns a URL identifying the **federated** issuer for any Sigstore
         certificate issued against this identity token.
 
         The behavior of this field is slightly subtle: for non-federated
@@ -218,7 +218,7 @@ def expected_certificate_subject(self) -> str:
         implementation-defined claim.
 
         This attribute exists so that clients who wish to inspect the expected
-        subject of their certificates can do so without relying on
+        underlying issuer of their certificates can do so without relying on
         implementation-specific behavior.
         """
         if self._federated_issuer is not None:

test/unit/test_oidc.py

@@ -267,4 +267,4 @@ def test_ok(self, dummy_jwt, iss, identity_claim, identity_value, fed_iss):
         assert identity.in_validity_period()
         assert identity.identity == identity_value
         assert identity.issuer == iss
-        assert identity.expected_certificate_subject == iss if not fed_iss else fed_iss
+        assert identity.federated_issuer == iss if not fed_iss else fed_iss