# Revocation bundles

Authority exports revocation data as an offline-friendly JSON bundle with a
detached JWS signature. Bundles are mirrored with other offline feeds.

Bundle contents
- revocation-bundle.json: canonical JSON payload.
- revocation-bundle.json.jws: detached signature (RFC 7797).
- revocation-bundle.json.sha256: optional digest for mirroring.

Deterministic formatting
- UTF-8 JSON with stable key ordering.
- Arrays sorted by category, id, and revokedAt.
- Timestamps use UTC ISO-8601 with Z.

Revocation categories
- token, subject, client, key.
- reason codes include compromised, rotation, policy, lifecycle.

Verification flow
- Validate schema, recompute sha256, then verify detached JWS.
- Key resolution uses JWKS or offline key bundles.

Operational notes
- Bundles are monotonic by sequence and issuedAt.
- Export a fresh bundle after key rotation.

Related references
- docs/security/revocation-bundle.md
- docs/security/revocation-bundle-example.json