[Openid-specs-fapi] Yet another take on FAPI signatures

[Anders Rundgren]

As some of you know, I'm not overly convinced that shrouding your precious business data in Base64Url is a great solution.

However, there seems to be a cool way combining Detached JWS with a pretty simple JSON canonicalization scheme:

https://github.com/w3c/payment-request/issues/714

Is this better than using HTTP headers?  I think so because messages remain signed even when stored.   As the example above shows, it also works in non-HTTP contexts.

Anders