OptionalencryptedMetadata associated with the TDF and the request. The contents of the metadata are freeform, and are used to pass information from the client to the KAS. The metadata stored here should not be used for primary access decisions.
OptionalephemeralPEM encoded ephemeral public key, if wrapped with a KAS EC key.
OptionalkidAdditional information for the Key Access service to identify how to unwrap the key.
OptionalpolicyAn object that contains a keyed hash that will provide cryptographic integrity on the policy object, such that it cannot be modified or copied to another TDF without invalidating the binding. Specifically, you would have to have access to the key in order to overwrite the policy.
The protocol used to access the key.
OptionalschemaVersion information for the KAO format.
OptionalsidA key split (or share) identifier. To allow sharing a key across several access domains, the KAO supports a 'Split Identifier'. To reconstruct such a key when encryptionInformation type is 'split', use the xor operation to combine one of each separate sid.
Specifies how the key is stored. Possible Values: wrapped: The wrapped key is stored as part of the manifest. remote: [Unsupported] The wrapped key (see below) is stored remotely and is thus not part of the final TDF manifest.
A locator for a Key Access service capable of granting access to the wrapped key.
OptionalwrappedThe symmetric key used to encrypt the payload. It is encrypted using the public key of the KAS, then base64 encoded.
A KeyAccess object stores all information about how an object key OR one key split is stored.