Keys shall be delivered within a JSON structure signed using JWS (RFC 7515) with the following parameters and content:
The JWS Protected Header shall contain the following fields:
{
"alg": 'ES256',
"kid": string <kid of the key-management key, supplied by the AB>,
"authid": string <Participants ID (PID)> ,
"notvalidafter": string (ISO 8601),
"serial": integer (serialNumber)
}The JWS Payload shall contain the following fields:
{
'mtbPublicKeys': [ JWK Object, JWK Object .. JWK Object ], (only new keys, existing keys still in use shall not be listed again)
'removemtbPublicKeys': [ JWK Object kid, JWK Object kid .. JWK Object kid] (if no keys are to be removed, this field can be omitted)}
The JWS shall be formated in the JWS compact serialization format according to RFC 7515, section 3.1:
BASE64URL(UTF8(JWS Protected Header)) || '.' ||
BASE64URL(JWS Payload) || '.' ||
BASE64URL(JWS Signature)
Notes:
A JWK with an existing kid is skipped as you can't update an specific key. To do an update the existing key must be removed and a new defined.