-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide guidance on use of cty
in JOSE / COSE
#47
Comments
Why this advice for "Explicit Typing" was not solely used and instead |
@dlongley Not sure I fully follow, for the case where you are securing
|
As RFC 8725 (and it draws from RFC 8417) states, disambiguating different types of JWTs (with "normal case" claims set content) should be done via That being said, my thoughts on In a JWT, the default content type is a claims set. If you're going to change that to be something else, such as Only if the content is something else, for example, another JWT (which is NOT a JWT claim set, but rather looks a string of dotted base64url-encoded values) or some other thing, for example, a W3C Credential from the VCDM ( |
A decision making chart / flow: Is the content of the JWT a claims set?
|
@dlongley I think you just agreed with my framing above... you prefer to see:
Yes.
Acknowledged... but really you mean No Yes Basically what you said here: #47 (comment) |
My read of the specs is that you should use That means that the specs recommend using As for the use of |
To further clarify: Claims sets:
Not claims sets:
The former (Claims sets) should never appear in the The latter (Not claims sets) can appear in |
This seems over taken by events, I think we have resolved these issues, and when #88 is merged this should be closed. |
@selfissued still blocked by the PR above. |
Closing, since PR #88 has been merged. |
Describe why we believe that
cty
should be used to specify the media type of thepayload
.Note that JWS guidance on
cty
and JWT guidance on it differ.Comment also on the use of COSE
cty
, for compatibility with more recent IETF work that has been published in the decades since the original RFCs were written, perhapse including:The text was updated successfully, but these errors were encountered: