Fetch the router-signed enforcement profile
§9.3(b) bound-resolver authentication: the caller signs the request with its Trust-List-published key (RFC 9421); the path segment is the high-entropy bound-resolver label from the mint response. A wrong or unknown label returns 404 (indistinguishable from a wrong-resolver dereference — fail-closed, no existence leak, §9.3(a)). The response is a SignedDocument whose document string parses to an EnforcementProfile; verify the signature to the router key then to the root before trusting the profile.
Serving discipline (§8.3.6 cl.3): signatures are minted at compile time and cached per binding. Supports ETag / If-None-Match for 304 Not Modified.
{endpoint_id} path segment is the high-entropy
bound-resolver label from the bind response, and
presenting it under your RFC 9421 signature
is the §9.3(b) authentication. The response is a SignedDocument whose document
string parses to an EnforcementProfile.
A wrong or unknown label returns 404, indistinguishable from a wrong-resolver dereference —
fail-closed, no existence leak (§9.3(a)). The endpoint supports ETag / If-None-Match for
304 Not Modified.
Worked example
The@phosra/gatekeeper SDK is the supported path: it polls, verifies to
the root, and exposes the decision. The raw signed GET is shown alongside it.
GET covers only @method, @target-uri, and ocss-spec-version — no content-digest.
Always verify signed.sig to the router key and root before you trust categories[].200 response (captured from the hosted sandbox — router-signed, categories[]
empty here because the sandbox self-serve child carries no compiled rules yet):
categories[] row carries a category, a decision (allow / warn / block), a
fail_mode, and a per-child rule_ref you echo when you
confirm enforcement.Path Parameters
The high-entropy §9.3(b) bound-resolver label returned by the mint endpoint. Treat as a secret credential — never log.
Response
Router-signed enforcement profile. Verify to root before trusting. categories[] is the canonical profile field.
Router-signed wrapper. document is a JSON STRING on the wire (not an object) whose UTF-8 contents are the canonical JCS bytes the router key signed. Verify with the resolved signing key over exactly those bytes — never by re-stringifying an object. Matches the Signed.MarshalJSON contract in internal/ocss/profile/document.go.
Canonical JSON string of the inner EnforcementProfile document. The signature covers exactly these UTF-8 bytes. Parse as JSON to obtain the EnforcementProfile; do not re-marshal before verifying.
D-15 key id in "did:ocss:#" form.
"did:ocss:phosra-router#router-sandbox-2026-06"
One of: ed25519.
ed25519 base64url-raw (-_ alphabet, no padding) Ed25519 detached signature over the UTF-8 bytes of document. Matches base64.RawURLEncoding in internal/ocss/profile/document.go Sign().