This is reversed but I suspect just a typo, JWS is a special version of a JWT which registers some meaningful claims. As you have alluded to the JWS claims are largely in the header and I will admit to not having taken that in to account properly with my first suggestion.
They are standardized in JWK and JWS. As your token includes key data in the payload, I took the editorial liberty of making it a compatible JWK. There are other claims that disambiguate or identify keys but this is the one which is the least restrictive. Valid values for “kty” are defined in JWA and “blockstack” is surely absent from that list as is any HD wallet-comaptible key system.
“pkc” and “cp” were my “spirit of the standard” swipes at “publicKeyChain” and “chainPath” though, I am not opposed to custom claims being verbose and self descriptive as you suggest. There is optional guidance in JWT#4.2 but i have rarely actually seen people comply to it and so long as these claims do not collide with registered claims there is no compatibility concern with other libraries.
I think this is a fine solution with one caveat, there is a process for registering ES256K officially and doing so helps legitimize it for use in third-party libraries. It may have already been tried and rejected but, I would be happy to help support the official registration of ES256K in any way I can.
The same goes for a “blockstack” or “HD” key type which would in turn officially register “publicKeyChain” and “chainPath” claims.
Thinking this direction would make it easier to one day bring the standard up to your level.
For now, we’ve narrowed the scope of supporting BlockStack in a third party JWT/JOSE library to adding a well-known but technically non-standard-JWA curve for signing/encrypting and a non-standard key type which is more like a key validation for a standard key type.
On second blush perhaps this is a better standard compliant token:
{
header: {
typ: 'JWT',
alg: 'ES256K',
jwk: {
kty: 'blockstack',
publicKey: '03fdd57adec3d438ea237fe46b33ee1e016eda6b585c3e27ea66686c2ea5358479',
publicKeyChain: 'xpub661MyMwAqRbcFQVrQr4Q4kPjaP4JjWaf39fBVKjPdK6oGBayE46GAmKzo5UDPQdLSM9DufZiP8eauy56XNuHicBySvZp7J5wsyQVpi2axzZ',
chainPath: 'bd62885ec3f0e3838043115f4ce25eedd22cc86711803fb0c19601eeef185e39'
}
},
payload: {
iss: 'ryan.id',
iat: 1444259422196,
jti: '0b42722b-e781-434a-805d-c09c476e86b9'
},
signature: 'XXXXXXXXX'
}
I apologize if I am pressing this issue too hard. I mean no disrespect and my efforts are focused on making projects like blockstack widely accepted/accessible (even if my opinions sometimes seem otherwise).