I'm skimming RFC9421's signing and validation algorithms for reasons, and it seems like the spec provides way more room for confusion about what's being signed than I'd prefer, with guidance like "Determine an order for any signature parameters...". How? 🤷

https://www.rfc-editor.org/rfc/rfc9421.html