Most (all?) JWTs/JWSs defined by Federation are mandated to contain the typ header parameter with a suitable value, e.g., trust-mark+jwt or entity-statement+jwt.
However, as far as I can see, there is no mandate for the receiver/processor of such JWTs to check these header values.
[...] JWT can include an explicit JWT type value, and the validation rules can specify checking the type.
I read this as "the specification introducing the JWT type value has to define the validation rules such that typ is checked".
Section 4.1.9 of RFC 7515 (JWS) is even less specific on this.
Hence, I think the Federation specification should explicitly require receivers of these JWTs to check the typ header.
selfissued
commented
2 months ago
Most (all?) JWTs/JWSs defined by Federation are mandated to contain the
typheader parameter with a suitable value, e.g.,trust-mark+jwtorentity-statement+jwt.However, as far as I can see, there is no mandate for the receiver/processor of such JWTs to check these header values.
RFC 8725 (JWS BCP) says (Section 3.11):
I read this as "the specification introducing the JWT type value has to define the validation rules such that
typis checked". Section 4.1.9 of RFC 7515 (JWS) is even less specific on this.Hence, I think the Federation specification should explicitly require receivers of these JWTs to check the
typheader.