selfissued
commented
7 years ago I disagree with the statement that we've inherited a problem. I believe that we've inherited the same flexibility that made JWTs successfully, and widely used across many application domains. This is by design.
It's up to the application profile to say which claims are required for that application. We shouldn't presume to require that implementations must understand certain claims when their application profile doesn't specify their use. This would be particularly onerous for IoT and other constrained environment implementations.
erdtman
T1: Most fundamentally, the spec inherits a fundamental problem from JWT: Some entries in the CWT ("claims") are actual independent claims that can indeed be ignored if not understood, and other entries shape the meaning of the actual claims in the CWT. E.g., an nbf entry isn't really a "claim" at all, it is an implicit parameter to the real claims in the CWT. This is, of course, a property that CWT shares with JWT, but we could use the opportunity of defining CWT to be a bit more specific. E.g., we could use negative labels for entries that shape others and unsigned ones for entries that can be ignored. (BTW, all labels defined here would be the former category.)