> ... The protected header of the JWS MUST meet the following criteria:
>
> * The "alg" field MUST indicate a MAC-based algorithm
> * The "kid" field MUST contain the key identifier provided by the CA
> * The "nonce" field MUST NOT be present
> * The "url" field MUST be set to the same value as the outer JWS
>
> The "signature" field of the JWS will contain the MAC value computed with the
> MAC key provided by the CA.
Why isn't this last sentence part of the preceding bulleted list?
I think the answer is that something is trying to tell me about the
double layers of signatures.
But, if that's the case, I don't think this is clear enough for me to
figure out.
<blockquote>
{
"protected": base64url({
...
}),
"payload": base64url({
...
"external-account-binding": {
"protected": base64url({
...
}),
"payload": base64url(/* same as in "jwk" above */),
"signature": /* MAC using MAC key from CA */
}
}),
"signature": "5TWiqIYQfIDfALQv...x9C2mg8JGPxl5bI4"
}
</blockquote>
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
