JSON Web Certificate (JWC) is a compact means of representing an association between an identity and a (JSON Web Key) JWK signing key. The claims in a JWC are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure, enabling the claims to be digitally signed with an associated JWK.
Should be JWC
Required
Should be sig
Used for associating key, claims and private keys.
Required
Same as jwk.kid
in protected header.
see https://tools.ietf.org/html/rfc7515#section-5.1 and https://tools.ietf.org/html/rfc7519#section-7.1
see https://tools.ietf.org/html/rfc7515#section-5.2 and https://tools.ietf.org/html/rfc7519#section-7.2
Subkeys are a JWS signing the following fields using the key in the jwk
parameter of the certificate protected header.
In many cases it is not desirable to use the key specified in the protected header of the certificate for daily tasks. Instead the certificate owner can create some set of subkeys which are used regularly while the main certificate is kept in a hardened or offline location. These subkeys can then be issued or revoked as needed without change to the main certificate.
A JWK set over which the certificate is asserting ownership.
In the lifetime of one certificate different subkeys will likely be added and removed. Each signed set of subkeys can be considered a "version" of the subkey set.
Given multiple versions of a subkey set, the latest (based on iss
) valid (respecting nbf
and exp
) version should be used, all others should be ignored.
Key revocation is out the scope of this document, but any received revocation should be respected, regardless of a key's inclusion in the latest version of the subkey set.
Take the key
parameter from the JWC protected header.
Add private key data.
Base64url encode that object and use it as the body for a JWE.
Set the kid
parameter of the JWE header to be the same as the jwk.kid
parameter from the JWC protected header.
Encrypt the private keys of the subkey set SEPARATELY.