[{"author": "Matthew Gillmore", "text": "<p>Can the unsigned variant be added without breaking compatibility?</p>", "time": "2024-11-04T09:54:03Z"}, {"author": "Paul Bastian", "text": "<p>unsigned option is currently a different media type (adn that may be added again later), the other option is using alg=none ;)</p>", "time": "2024-11-04T10:01:44Z"}, {"author": "Matthew Gillmore", "text": "<p>k,  thanks for the clarification</p>", "time": "2024-11-04T10:03:25Z"}, {"author": "Yaron Sheffer", "text": "<p>alg=none (which everybody hates) would reduce the complexity into just one place - the code that configures the JOSE/COSE library.</p>", "time": "2024-11-04T10:04:05Z"}, {"author": "Paul Bastian", "text": "<p>be aware that with decision 1 2 of the 4 media types will vanish</p>", "time": "2024-11-04T10:10:45Z"}, {"author": "Shawn Ngiap", "text": "<p>If we allow \"SHOULD\", it'll never be done.</p>", "time": "2024-11-04T10:10:56Z"}, {"author": "Dean Saxe", "text": "<p>Anyone know why CDNs don\u2019t support content-type?</p>", "time": "2024-11-04T10:11:40Z"}, {"author": "Matthew Gillmore", "text": "<p>+1</p>", "time": "2024-11-04T10:13:48Z"}, {"author": "Brian Campbell", "text": "<p>It's almost like it'd be simpler to only have one type...</p>", "time": "2024-11-04T10:16:22Z"}, {"author": "George Fletcher", "text": "<p>Brian, if only one type... which would you choose?</p>", "time": "2024-11-04T10:20:06Z"}, {"author": "Yaron Sheffer", "text": "<p>datatracker is up again</p>", "time": "2024-11-04T10:20:23Z"}, {"author": "George Fletcher", "text": "<p>Is there a reason we can't define a common nonce solution? Seems like we are working around this in multiple specs.</p>", "time": "2024-11-04T10:30:20Z"}, {"author": "Dean Saxe", "text": "<p>+1</p>", "time": "2024-11-04T10:32:40Z"}, {"author": "Tobias Looker", "text": "<p>Its a very hard problem to generalise IMO and have one adequate solution</p>", "time": "2024-11-04T10:33:53Z"}, {"author": "Tobias Looker", "text": "<p>We also already have multiple solutions</p>", "time": "2024-11-04T10:34:04Z"}, {"author": "Paul Bastian", "text": "<p>In DPoP the nonce is thought of as a step-up, but it lacks a mechanism to explicitly request a nonce without making a full DPoP-Proof</p>", "time": "2024-11-04T10:36:15Z"}, {"author": "Daniel Fett", "text": "<p>+1 to what justin said</p>", "time": "2024-11-04T10:37:46Z"}, {"author": "Yaron Sheffer", "text": "<p>sorry, tech problem</p>", "time": "2024-11-04T10:51:14Z"}, {"author": "Dean Saxe", "text": "<p>Agreed Yaron, this is very wimse oriented</p>", "time": "2024-11-04T11:07:04Z"}, {"author": "George Fletcher", "text": "<p>+1 to Justin's comments about webfinger and deployment issues. I had that problem at AOL and  the solution was very brittle. The owner of the dynamic service was not in control of the entire path of getting the request to the dynamic service.</p>", "time": "2024-11-04T11:25:33Z"}, {"author": "Aaron Parecki", "text": "<p>nobody uses dynamic client registration anyway</p>", "time": "2024-11-04T11:31:50Z"}, {"author": "George Fletcher", "text": "<p>I know of some implementations of DCR</p>", "time": "2024-11-04T11:32:13Z"}, {"author": "Aaron Parecki", "text": "<p>@George you make a good point tho, it seems like there should be an option for the client to authenticate this request too</p>", "time": "2024-11-04T11:32:21Z"}]