On Wed, Apr 14, 2021 at 1:19 AM Vittorio Bertocci <vittorio.bertocci= [email protected]> wrote:
> > 3. ----- > > [...] > > Formally, I agree that JOSE would also work. The choice of media type > derives from https://tools.ietf.org/html/rfc7519#section-10.3.1. There is > no functional difference between JWS and JWE in the intent a client has > when calling an RS, here there's not much to be gained in using different > MIME types for those cases. Furthermore, whereas developers are familiar > with the term "JWT", both from direct use and thanks to the popularity of > OpenID Connect (which does use application/jwt), terms like JWS, JWE or > JOSE wouldn't be as promptly understood as JWT. Throughout the discussions > in the last couple of years, the consensus on the use of at+jwt was solid- > my hope is that will make intuitive sense for implementers, too. > I think the use of 'at+jwt' was also (or even primarily) motivated by explicitly typing per the JWT BCP https://datatracker.ietf.org/doc/html/rfc8725#section-3.11 as a means of preventing Cross-JWT Confusion https://datatracker.ietf.org/doc/html/rfc8725#section-2.8 -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
