>> A nested JWT is one where a JWT is used as the payload of another >> JWT, for instance, so you can do sign/encrypt/sign.
> So, first of all, it seems like an abuse of terminology to say "JWT > within a JWT", unless you really want to create an infinite recursion. It would be better to say a JWT is a set of claims wrapped in: a JWE; a JWS; or a JWS, which is itself wrapped in a JWE [*]. This would hopefully avoid the confusing definition and discussion of a "JWT header", when the spec should just be profiling the JWE and JWS headers. [*] Add other combinations (JWE inside a JWS?) or allow any combination if it is really required, but listing a few specific combinations that MUST be supported seems more in keeping with the general philosophy in this area. -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
