AgentPKI — Trust anchor (JWKS / Revocation / Status List)

JWKS & Rotation

• Set kid per key; roll: add new key before removing old (grace window).
• Expose jwks_uri, support caching (ETag/Cache-Control).
• Refs: RFC7517, Auth0/Okta docs.

Example: jwks.json

Revocation (CRL / Status List)

• Support both: simple JSON CRL + W3C Status List 2021.
• Reasons: ownership change, key compromise, abuse, opt-out.
• SLA: update within 24h and timestamp.

Templates

// CRL (JSON)
{ "revoked": [ {"kid":"2025-01-01-rsa","reason":"compromise","revoked_at":"2025-01-10T00:00:00Z"} ] }