2.4.1 SignedSecureElementProtectedHeader Object
The SignedSecureElementProtectedHeader object is a JWS protected header that describes how to verify the signature. While RFC 7515 section 4.1 outlines the available header members for a JWS, only the members listed below will be used.
{
"alg": "ES256",
"kid": BASE64URL(Subject Key Identfier),
"x5t#S256": BASE64URL(SHA-256 Certificate Thumbprint)
}| alg | Describes the key type used to sign the payload (see RFC 7518 section 3.1 for additional details). Only public key algorithms will be used. |
| kid | Encoded Subject Key Identifier (RFC 5280 section 4.2.1.2) of the key used to sign the payload. This is the BASE64URL encoding of the subject key identifier value, not the full extension. This value helps identify the key for verification purposes. Note that while kid is a free-form field in the JWS standard (see RFC 7515 section 4.1.4), this definition applies only to the SignedSecureElement object. |
| x5t#S256 | SHA-256 thumbprint (also known as a fingerprint) of the certificate for the public key required to validate the signature. Like kid, this value can be used to help identify the key for verification (see RFC 7515 section 4.1.8 for further information). |