Secdir review

[thomas-fossati]

In his Secdir review, @timfromdigicert notes:

"[...] the security considerations section needs a discussion of what happens when the MIME type on the request DOES NOT correspond correctly to the URI or OID that's in the payload. Failure to correctly handle that case could lead to cross-protocol attacks against other token types, and so on, so I think some discussion or advice is necessary, even if it is to simply point out why this isn't a concern, or which portion of the document handles this that I missed."

[thomas-fossati]

ISTM that no new surface for cross-protocol attacks has been introduced by these types.

Changing "application/eat+cwt; eat_profile=1.2.3" into "application/eat+cwt; eat_profile=3.2.1" is not different from changing "application/foo" into "application/bar".