TLS and JWT are both "IETF protocols", but the IETF police won't arrest if you if you slot XChaCha20 into either of them.
This is actually how it's supposed to work: RFCs are meant, at least somewhat routinely, to trail implementations. "Loose consensus and working code" used to be the motto. Get XChaCha20 deployed, and then let the IETF standardize it because they have to. That's what happened with Curve25519.
This is actually how it's supposed to work: RFCs are meant, at least somewhat routinely, to trail implementations. "Loose consensus and working code" used to be the motto. Get XChaCha20 deployed, and then let the IETF standardize it because they have to. That's what happened with Curve25519.