All Tickets (see 8.2.3 and 8.2.4) are encoded as JSON documents. These JSON documents secured with digital signature applied to the general serialization described by RFC 7515. The structure of an RFC 7515 document is as follows.


"payload":"BASE64URL(UTF8(JSON encoded Ticket))",


{"protected":"BASE64URL(UTF8(JSON encoded protected header))",

"header": JSON encoded header,

"signature":" BASE64URL(JWS Signature)"},


{"protected":"BASE64URL(UTF8(JSON encoded protected header))",

"header": JSON encoded header,

"signature":" BASE64URL(JWS Signature)"}]


Appendix A.6 in RFC 7515 provides an example of a document encoding using this structure.

The BASE64URL transform which allows binary data (e.g., UTF8 encoded text) to be represented as ASCII.

The Ticket is encoded as a JSON object using the reversible JSON encoding defined in OPC 10000-6. This JSON object is converted to UTF8 byte array and then BASE64URL before being added to the document.

The protected header specifies the signing Certificate and other information needed to verify the Signature. The required fields are defined in Table 5.

The unprotected header is generally not used; however, it could be used for additional vendor specific information such as a RFC 3161 timestamp or other anti-forgery or validation metadata.

A Signature is computed on the following byte array:

<protected header>.<payload>

Tickets may have additional signatures added by any actor in the supply chain. For example, a CompositeBuilder shall add Signatures to all Tickets for Devices incorporated into the Composite. The protected header shall have the CompositeInstanceUri.

The Certificate and algorithms used to create the payload Signature are the same as the Certificate and algorithms used to create the RFC 7515 Signature. The RFC 7515 header provides the information needed to calculate the size of payload Signature.

Table 5 – RFC 7515 Header Fields

Header Field





The cryptographic algorithm used to sign the Ticket.

The possible values are defined by RFC 7518.

The default when using RSA public keys is “RS256”.


String []

The signing Certificate and all of its issuers.

Each array element is base64 encoded (see RFC 4648) DER encoding.

The first element is the signing Certificate.



The type of Ticket contained in the payload.

This is media type defined by RFC 2045 with the leading “application/” omitted.

The subtype is "opc-ticket+json".

The type parameter is the name from BrowseName of the Structure.

For example, the value for a DeviceIdentityTicketType is:




The CompositeInstanceUri if the Signature was created by a CompositeBuilder who has incorporated the Device into a Composite.