Introduces three assurance levels (L1 unsigned JSON, L2 JOSE signing,
L3 JOSE signing with audit ledger) so deployments can choose the
appropriate trade-off between simplicity and regulatory compliance.
Decouples ECTs from WIMSE/SPIFFE hard dependencies by introducing an
abstract identity binding model with concrete profiles for WIMSE,
X.509, and JWK sets. The typ header moves from wimse-exec+jwt to
exec+jwt (with backward compatibility).
Includes blog article (blog-ect-assurance-levels.md) explaining the
assurance levels change and identity-framework agnostic design.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
