Hello, Often, implementers wish to align CWT and JWT as much as possible, for example:
https://ietf-rats-wg.github.io/eat/draft-ietf-rats-eat.html#name-eat-as-a-framework As an aside +cwt, as a suffix, was recently commented on in RATs: - https://mailarchive.ietf.org/arch/msg/rats/98_PA9wK6pR0n9MtWipoApslPlI In the context of JWT: According to RFC8725: Sometimes, one kind of JWT can be confused for another. If a particular kind of JWT is subject to such confusion, that JWT can include an explicit JWT type value, and the validation rules can specify checking the type. This mechanism can prevent such confusion. Explicit JWT typing is accomplished by using the "typ" Header Parameter. For instance, the [RFC8417] specification uses the "application/secevent+jwt" media type to perform explicit typing of Security Event Tokens (SETs). - https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing - `typ`: https://www.rfc-editor.org/rfc/rfc7519#section-5.1 - `cty`: https://www.rfc-editor.org/rfc/rfc7519#section-5.2 In the context off CWT: There is `content-type` aka`, `ctyp`, aka `cty` aka tag 3. - https://www.rfc-editor.org/rfc/rfc8152.html#section-3.1 However, there is no `typ` value present here: https://www.iana.org/assignments/cose/cose.xhtml As an implementer I would like to know why CWT does not have a `typ` value, and what parts of the JWT BCP would apply to a hypothetical CWT BCP? I would like to see support for `typ` added to CWT if possible, or have a good understanding of why we want JWT and CWT headers to differ in relation to the JWT BCP. Regards, OS -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
_______________________________________________ COSE mailing list COSE@ietf.org https://www.ietf.org/mailman/listinfo/cose
