Unecessary generic wording of Request Object jwt header `typ`

[Zicchio]

The request object JWT header must include a typ header as specificied here https://github.com/italia/eudi-wallet-it-docs/blob/fdd9cf44e69bd6eeb4cfb11684dd6f5e0e7c6a57/docs/en/remote-flow.rst?plain=1#L277-L278 but the spec does not state what value typ must have, relying instead on a generic description.

It is implicit from the non normative example that typ must be JWT, but IMO if this is the case then the description should state it.

Note that, surprisingly, RFC9101 (JAR) does not actually mandate the usage of typ and indeed it is NOT included in the non-normative example. This is because a Request Object is always delivered in a HTTP response with media type application/oauth-authz-req+jwt, making the typ field not required.

[Zicchio]

Upon furter inspection, RFC9101 includes some suggestion for the typ header. In RFC9101#section 10.8 it is stated that:

One would explicitly type a Request Object by including a typ Header Parameter with the value oauth-authz-req+jwt (which is registered in Section 9.4.1. Note, however, that requiring explicitly typed Request Objects at existing authorization servers will break most existing deployments, as existing clients are already commonly using untyped Request Objects, especially with OpenID Connect. However, requiring explicit typing would be a good idea for new OAuth deployment profiles where compatibility with existing deployments is not a consideration.

If I understand this line correctly, the recommended behaviour is to either:

1. omit typ completely and leave the Request Object untyped
2. require that typ has value oauth-authz-req+jwt

IMO the solution 2. shoul be preferred since this is a new deployment profile.