In the interest of time, I did not follow up in the WG F2F, but the if cty=JWT for both JWE and JWS still bothers me. Yes, it can be unambiguously identify if the content is JWS or JWE, but to do that, you have to sniff the body of the decoded JWT.
If we had typ=JWT+JWS etc. or cty=JWT+JWS, it would be able to tell without deep sniffing. -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
