I agree strongly that JWT is badly flawed, and that criticisms of JWT don't constitute "FUD". JWT's uptake has been alarming given how little cryptographic engineering input the format seems to have received, versus how complex it is under the hood.
That said:
Asymmetric crypto is a crypto code smell. You use it when you absolutely have to because there's no other way to express what you're trying to accomplish. It is much harder to get public key crypto right than it is to safely use a "Seal/Unseal" AEAD interface. One of the things that alarms me about JWT is that it's a format that presumes developers might want to effortlessly switch between symmetric and asymmetric crypto, as if they were just two different ways of solving the same underlying problem.
That said:
Asymmetric crypto is a crypto code smell. You use it when you absolutely have to because there's no other way to express what you're trying to accomplish. It is much harder to get public key crypto right than it is to safely use a "Seal/Unseal" AEAD interface. One of the things that alarms me about JWT is that it's a format that presumes developers might want to effortlessly switch between symmetric and asymmetric crypto, as if they were just two different ways of solving the same underlying problem.