Currently payloadType MUST be a URI. I'm leaning towards relaxing this requirement to be a SHOULD, and possibly also recommending Media Type as an alternative. The benefit is that Media Types are already an established mechanisms for designating the type of media and are used extensively in Docker/OCI.

The purpose of this field is to avoid confusion attacks where the verifier interprets the payload in a way that the signer did not intend. For this reason, a media type like application/json is bad (and we should discourage it) because it's too ambiguous. But we could instead having an application-specific type like
But we can recommend something like Docker/OCI does, e.g. application/vnd.oci.descriptor.v1+json, which really serves the same purpose as the URI.

Any thoughts one way or the other?

Something like the Docker/OCI alternative mentioned seems reasonable to me instead of just application/json. One thing, and I may be misunderstanding this, is that OCI seems to exhaustively list their media types. Will enforcement of "more information than just application/json" become an issue with something like the signing-spec which anyone can use, and therefore define a media type for?

If the URI requirement is dropped to a SHOULD, would implementations be expected to also support media type alternatives? Especially if the spec lists them as an alternative?

I'm thinking that we'd say something like:

payloadType is an opaque, case-sensitive string that uniquely and unambiguously identifies how to interpret payload. This includes both the encoding (JSON, CBOR, etc.) as well as the meaning/schema. To prevent collisions, it SHOULD be either:

• (recommended) A case-normalized URI. Example: https://in-toto.io/Statement/v1-json
• A lowercase Media Type (a.k.a. MIME type or Content Type). Example: application/vnd.in-toto.statement.v1+json.
  • IMPORTANT: If Media Type is used, it SHOULD NOT be a generic one that only represents encoding but not schema. For example, application/json is almost always WRONG. Instead, invent a media type specific for your application in the application/vnd namespace.

I like the option to use media type. This would also allow for future use within OCI without any major changes.

I'm thinking that we'd say something like:

Thanks @MarkLodato. This seems reasonable to me.

Thanks! Sent out pull request #26 to implement.