Keys shall be delivered within an JWS according to mts4 but with the following a JSON structure signed using JWS (RFC 7515) with the following parameters and content:
The JWS Protected Header shall contain the following fields:
{
"alg": '
...
ES256',
"kid": string <kid
...
of the key-management key, supplied by the AB>,
"authid": string
...
<Participants ID (PID)> ,
"notvalidafter":
...
string (
...
ISO
...
8601),
"serial": integer (serialNumber)
...
}
The JWS Payload shall contain the following fields:
{
'
...
addMtbPublicKeys': [ JWK Object, JWK Object .. JWK Object ],
(only new keys, existing keys still in use shall not be listed again)
...
...
'delMtbPublicKeys': [ JWK Object kid, JWK Object kid .. JWK Object kid]
(if no keys are to be removed, this field can be omitted)}
The JWS shall be formated in the JWS compact serialization format according to RFC 7515, section 3.1:
BASE64URL(UTF8(JWS Protected Header)) || '.' ||
BASE64URL(JWS Payload) || '.' ||
BASE64URL(JWS Signature)
Notes:
A JWK with an existing kid is skipped as you can't update an specific key. To do an update the existing key must be removed and a new defined.