[Openid-specs-ab] Issue #2097: Delegated Entity Configuration signing (openid/connect)

[Stefan Santesson]

New issue 2097: Delegated Entity Configuration signing
https://bitbucket.org/openid/connect/issues/2097/delegated-entity-configuration-signing

Stefan Santesson:

It is very likely that not all leaf entities will have the combined capability to create and sign their own Entity Statement. This may be caused by a number of reasons:

* The leaf entity is a public client with no static IP and no server capabilities
* RP or Client based on 3:rd party software without sufficient capabilities

We have discussed that a  leaf entity could delegate this to its superior Intermediate so that this Intermediate

* Assigns the EntityID \(under the Intermediates FQDN\)
* Creates the Entity Configuration
* Publish the Entity Configuration under /.well-known location

The only problem with this is that the Entity Configuration must be signed by the leaf entity federation key. This may turn out to be a very tricky problem as this requires suitable software with access to the federation key of the leaf entity.

For these situations it would be very helpful if the leaf entity could also delegate the signing of the Entity Configuration to the Intermediate, making it the responsibility of that Intermediate to verify the key used by the leaf entity by some means outside of this specification.

I can think of some ways to solve this:

* Simply allow the Entity Configuration to be signed by an Intermediate entity key that also issues the Entity Statement for this leaf entity.
* Allow the EntityStatement for this leaf entity to be used and published as the EntityConfiguration of this leaf entity. 

The latter seems more effective. It would still work the same way as it is found at the /.well-known location for the EntityID of the leaf entity. It will be treated as the EntityConfiguration of that Entity. The only thing that would differ is the path construction that will be one statement shorter.

‌