This is really "has issue" rather than "has issues".

The draft is pretty simple and straightforward, and provides MIME types that correspond to the URI or OID that's in the payload, so that the payload doesn't have to be inspected to determine what EAT type it is. This is all fine.

However, I think the security considerations section needs a discussion of what happens when the MIME type on the request DOES NOT correspond correctly to the URI or OID that's in the payload. Failure to correctly handle that case could lead to cross-protocol attacks against other token types, and so on, so I think some discussion or advice is necessary, even if it is to simply point out why this isn't a concern, or which portion of the document handles this that I missed.

-Tim