Quick Reference
UM is a specification. Any language/runtime can implement it.
Required Fields
Section titled “Required Fields”| Field | Required | Type | Notes |
|---|---|---|---|
@context | Yes | string | Version context URL |
@id | Yes | URI string | Recommended urn:uuid:<uuidv4> |
@type | Yes | string or array | Must include um:Manifest |
manifestVersion | Yes | string | "0.1" or "0.2" |
subject | Yes | URI string | Stable subject ID |
issuedAt | Yes | timestamp | RFC 3339 |
expiresAt | Yes | timestamp | RFC 3339 |
signature | v0.2 only | object | Ed25519 + JCS profile |
Validation Rules
Section titled “Validation Rules”- Parse JSON object.
- Validate required fields.
- Validate
@typeincludesum:Manifest. - Parse timestamps and enforce
issuedAt <= expiresAt. - Enforce TTL (
now <= expiresAt). - Ignore unknown fields safely.
v0.2 Signature Verification (5 Steps)
Section titled “v0.2 Signature Verification (5 Steps)”- Check profile pair (
Ed25519,JCS-RFC8785). - Remove
signaturefrom payload. - Canonicalize using JCS.
- Load key from
publicKeySpkiB64orkeyRef. - Verify Ed25519 signature.
Conformance Levels
Section titled “Conformance Levels”v0.1-baseline: parse + required fields + TTL + unknown-field tolerance.v0.2-baseline: v0.1 baseline + signature profile.v0.2-extended: v0.2 baseline + revocation-aware checks.
Decision tree text fallback:
- Consume only ->
v0.1-baseline. - Produce manifests -> add issuer behavior.
- Need tamper protection ->
v0.2-baseline. - Need revocation checks ->
v0.2-extended.