I am trying to find a solution for a problem that seems too generic not to be solved by someone more capable than I am. Yet I struggle to find it.
So. I want to create a "chain of trust", which is more or less similar to the X.509 certificate chain but is built entirely on JWT (I know about the x5c, but that's against the rules in this game). The premise of the challenge is: given a chain of "authorities" a1 to a(N), where each authority trusts the next authority in the chain — i.e. a1 trusts a2, a2 trusts a3 ... a(N-1) trusts a(N), as a "consumer" that trusts authority a1, I should be able to establish trust in authority a(N).
X.509 has a concept of a "certificate", which confirms the authenticity of one authority (or, specifically, its private key) using the trust you might have in another authority. That allows you to chain the authorities together and follow the chain from the first one (which you trust) to the last one.
A JWT, however, is typically used in a "single authority" scenario, where the consumer knows its JWK and from that establishes trust in its output.
To create a chain we'd need an a(N)'s JWK to contain a public key in the form of JWT signed by a(N-1). So my question is:
Is there a standard that describes this or should I invent my own wheel?
