Keys shall be delivered within an JWS according to mts4 but with the following a JSON structure signed using JWS (RFC 7515) with the following parameters and content:
The JWS Protected Header shall contain the following fields:
{
"alg": '
...
ES256',
"kid": string <kid
...
of the key-management key, supplied by the AB>,
"authid": string
...
<Participants ID (PID)> ,
"notvalidafter":
...
string (
...
ISO
...
8601),
"serial": integer (serialNumber)
...
}
The JWS Payload shall contain the following fields:
{
'mtbPublicKeys': [ JWK Object, JWK Object .. JWK Object ], (only new keys, existing keys still in use shall not be listed again)
'removemtbPublicKeys': [ JWK Object
...
kid, JWK Object
...
kid .. JWK Object kid]
...
(if no keys are to be removed, this field can be omitted)}
...
The JWS JWS shall be formated as in the JWS compact serialization format according to https://tools.ietf.org/html/rfc7515#section-RFC 7515, section 3.1:
BASE64URL(UTF8(JWS Protected Header)) || '.' ||
BASE64URL(JWS Payload) || '.' ||
BASE64URL(JWS Signature)
Notes:
An A JWK with an existing kid is skipped as you can't update an specific key. To do an update the existing key must be removed and a new defined.