JWS: JSON Web Signature

Definition

Signature Creation and Verification Process

When an EUDI Wallet credential issuer creates a signed credential, the JWS process works as follows. First, the issuer constructs the JWS Header, a JSON object specifying the signing algorithm (e.g., ES256 for ECDSA with P-256) and the key identifier (kid) pointing to the issuer's public key in their JWK Set.

Next, the issuer constructs the JWS Payload containing the credential claims -- the actual identity attributes such as name, date of birth, and nationality. Both the header and payload are Base64URL-encoded, and the signing input is formed by concatenating them with a dot separator. The issuer then computes the digital signature over this input using their private key.

The resulting JWS in compact serialization is the concatenation of the encoded header, encoded payload, and encoded signature, separated by dots. This produces a compact, URL-safe string that can be easily transmitted in HTTP headers, URL parameters, or JSON fields.

Verification reverses this process: the verifier decodes the header to determine the algorithm and key ID, retrieves the corresponding public key from the issuer's JWK Set, and cryptographically verifies the signature against the header and payload. If the signature is valid, the verifier can trust that the credential was issued by the claimed issuer and has not been modified.

JWS in EUDI Wallet Credential Formats

JWS is the signature mechanism used by SD-JWT (Selective Disclosure JWT), one of the two primary credential formats in the EUDI Wallet ecosystem. An SD-JWT credential is fundamentally a JWS with a structured payload that supports selective disclosure. The issuer signs the entire credential using JWS, and the holder can later reveal only specific claims while the signature remains verifiable.

The SD-JWT format extends JWS by adding hash-based selective disclosure. Each disclosable claim is replaced by its hash in the signed payload. When presenting the credential, the wallet includes the original JWS along with disclosure objects for the specific claims the verifier requested. The verifier checks that each disclosure hashes to the value in the signed payload, maintaining cryptographic integrity while enabling privacy-preserving presentations.

Beyond credentials themselves, JWS is used throughout the EUDI Wallet protocol stack. OpenID4VP authorization requests can be signed as JWS objects to prove verifier authenticity. Key binding proofs during credential presentation are JWS-signed by the wallet's device key. DPoP (Demonstrating Proof-of-Possession) tokens in OpenID4VCI are also JWS structures. The pervasive use of JWS ensures consistent cryptographic guarantees across all protocol layers.

Serialization Formats and Use Cases

JWS supports two serialization formats, each suited to different scenarios. The compact serialization produces a single URL-safe string (three dot-separated Base64URL values) and is used for most EUDI Wallet operations, including SD-JWT credentials, access tokens, and protocol messages. Its compactness makes it ideal for HTTP headers and URL query parameters.

The JSON serialization represents the JWS as a full JSON object with named fields for each component. It supports additional features like unprotected headers and multiple signatures over the same payload. While less commonly used in EUDI Wallet flows, JSON serialization is valuable when a credential needs to carry multiple signatures (e.g., from the issuer and a counter-signer) or when the full JSON structure provides better integration with existing systems.

JWS also supports detached payloads (RFC 7797), where the payload is transmitted through a separate channel rather than embedded in the JWS structure. This is useful for large payloads or when the signed content is already available to the verifier through other means. The JWS then serves purely as a signature attachment that can be verified against the separately obtained content.

Related Terms