2.4.1 SignedSecureElementProtectedHeader Object

The SignedSecureElementProtectedHeader object is a JWS protected header that describes how to verify the signature. While RFC 7515 section 4.1 lists out the available header members for a JWS, only the ones listed here will be used.

{
  "alg": "ES256",
  "kid": BASE64URL(Subject Key Identfier),
  "x5t#S256": BASE64URL(SHA-256 Certificate Thumbprint)
}
alg
Describes the key type used to sign the payload. See RFC 7518 section 3.1. Only public key algorithms will be used.
kid
Encoded Subject Key Identifier (RFC 5280 section 4.2.1.2) of the key used to sign the payload. This is the BASE64URL encoding of the subject key identifier value, not the full extension. Used to help identify the key for verification. kid is a free-form field in the JWS standard (see RFC 7515 section 4.1.4), so this definition applies only to the SignedSecureElement object.
x5t#S256
SHA-256 thumbprint (a.k.a. fingerprint) of the certificate for the public key required to validate the signature. Like kid, it can also be used to help identify the key for verification. See RFC 7515 section 4.1.8.