Add Catalyst Web Token design specification

[stevenj]

trafficstars

[stevenj]

Couple of general comments:

* CWT as "catalyst web token" seems to conflict with "cbor web token", so the sentence "a CWT is a CWT" is now something we might actually want to say. Maybe there's another name? Catalyst Auth Token? Permissionless Auth Token? Maybe this needs some bikeshedding

I intentionally used the same acronym because it is literally a CBOR Web Token, so it can be interpreted either way. However, this relates to the title of this document. Because I actually define a Pre Auth token and a Auth token. So I probably don't need to explicitly call it a CWT.

* Should this be in `catalyst-standards`? Or will we generally "promote" stuff from here to `catalyst-standards` once we're happy with it?

Yes it should. My plan is to do an internal review here until I am happy with the catalyst standards repo. Once that repo is ready for standards I will move this document over.

[cong-or]

is there any mitigation for CSRF i.e state

[stevenj]

is there any mitigation for CSRF i.e state

The short answer is yes, it should be CSRF proof if implemented properly at both ends. The longer answer will be added to the document :)

[QuasarChains]

This is priceless. If we can say a CWT is a CWT, then we can also say a dREP is a dREP.