[Federation] Participants can statically distribute the Trust Chains related to them

We implemented the ability to provide a pre-processed trust chain when requesting a Client/RP's explicit authorization or registration.

This mechanism requires the inclusion of the Trust Chain within the request, extending the set of traditional parameters of OpenID and OAuth2 authorization requests. This offers the benefit of obtaining the trust chain preprocessed at the request stage.

The satisfied requirement is to avoid the calculation of the trust chain on the OP side, and consequently reduce the number of Federation Entity Discovery http requests.

This requirement can also be met in a more modular way by adding a federation endpoint, such as federation_trustchain_endpoint, where a federation entity can publish the preprocessed trust chains that pertain to it.

example of HTTP request to this brand new endpoint would be

/trustchain?anchor=https://ta.example.org

The response is a json array containing the sequence of the statements that validates the Trust chain, so the Trust Chain itself.
the constraint is that the subject of the request must be the issuer of the response, then the subject can only give the trust chains related to itself.

At the same time we may not think that this resource is required since we may say that if the federation_resolve_endpoint is available, and the parameter trust_chain in it is mandatory (not yet mandatory), the entity that exposes the resolve endpoint MUST make available at least the resolved metadata related to itself and the related Trust Chain.

The result, whatever if the proposal of the birth of federation_trustchain_endpoint or the resolve endpoint is preferred as solution, is that every participant can evaluate the trust with another participant by simply asking for and obtaining the trust chain from the participant, validating it with only the public key of the Trust Anchor.

this mechanism facilitates the public distribution of the pre-compiled trust chains, updated on a time basis, by the participants and related to themselves.

this issue would be resolved by taking one of the following decisions:

1. adding federation_trustchain_endpoint in the federation_entity metadata
2. explaining in the current specs how the resolve endpoint help in that (with the addition of the application of the metadata policies as well).

I’m in favor of the second approach, even if the resolve endpoint may expose also trust chain related to other parties, if collected during time and still valid in cache.