JWK `kid`: UUID vs. issuerSerial

Statt einer UUID sollte der kid-Parameter gemäß JAdES verwendet werden.

Als Format der ID wird UUID nach RFC 4122 empfohlen.

https://docs.fitko.de/fit-connect/docs/details/crypto

The content of kid header parameter shall be the base64 (IETF RFC 4648) encoding of one DER-encoded instance of type IssuerSerial type defined in IETF RFC 5035.

https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf

Der RFC3280 (https://datatracker.ietf.org/doc/html/rfc3280#section-4.1.2.2) schreibt dazu:

The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer.

Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets. Conformant CAs MUST NOT use serialNumber values longer than 20 octets.

Note: Non-conforming CAs may issue certificates with serial numbers that are negative, or zero. Certificate users SHOULD be prepared to gracefully handle such certificates.

=> maximal 20*8/6 == 27 Zeichen

Edited Sep 15, 2021 by René Zimmermann