Key id and thumbprint

What this check verifies

For each structurally valid key, the checker computes the RFC 7638 JWK thumbprint: a SHA-256 hash over the key’s canonical members (kty, crv, x), base64url-encoded. It reports that thumbprint and notes whether each key’s kid happens to equal it.

This check is informational. It always passes for a structurally valid key. It does not fail and does not cap the grade, whatever the kid is.

The kid (key id) in a JWK is a free-form label, per RFC 7517. It is not required to equal the thumbprint. A custom label is allowed:

{ "kty": "OKP", "crv": "Ed25519", "x": "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo", "kid": "sovp-signing-key-v1" }

So is using the thumbprint as the kid, which is Cloudflare’s convention.

Why it matters

This is where the directory kid and the signature keyid need to be kept apart, because only one of them is constrained.

When an agent signs a request, the signature carries a keyid parameter, and the web-bot-auth signature spec requires that keyid to be the SHA-256 JWK thumbprint of the signing key. A verifier resolves the signature by computing the thumbprint of each directory key and matching it against the signature’s keyid. The match is on the computed thumbprint, not on the directory’s kid label.

That is why a custom kid is harmless. The directory kid is a human-readable name; the resolution that actually matters uses the thumbprint, which the checker computes for you and displays. You can label your key sovp-signing-key-v1 and it will still resolve correctly, as long as the signature’s keyid is the thumbprint of that key.

The checker surfaces the thumbprint so you can confirm your signing agent is sending it as the signature keyid.

How to fix it

There is nothing to fix here: the check never fails. Two points to act on, though:

1. Note the thumbprint the checker reports. Your signing agent must send that exact value as the keyid parameter in the Signature-Input header. If it sends something else, the signature will not resolve to this key.
2. You may keep a custom kid in the directory for your own bookkeeping, or set kid equal to the thumbprint as Cloudflare does. Both are valid. If you choose the convention, set the directory kid to the reported thumbprint.

References

• RFC 7638 defines the JWK thumbprint and its canonical hash input.
• RFC 7517 defines kid as a free-form key identifier.
• The web-bot-auth signature spec requires the signature keyid to be the SHA-256 JWK thumbprint.
• How grading works explains why this informational check never caps the grade.