> In general, I would expect CWTs that needed to be explicit about their type > to use a CBOR tag.
RFC9277? > Now, that would likely be outisde of the signed part, so > if you think we need something inside, then I would support that. Signing a binary blob without including what it is (how to interpret the heap of bytes) in the signed message is dangerous (cross-protocol attacks). So having a form of content-type/content-format signed together with those data is something I would strive for. Grüße, Carsten _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
