[Federation] Location and scope of application of metadata_policy_crit

The current metadata_policy_crit spec is not clear where the claim may appear:

In Entity Configurations?
In Subordinate Statements?
In both?

Since a metadata_policy may only appear in a Subordinate Statement, and the metadata_policy_crit guides how the metadata_policy is to be processed, is it logical to require both to be in the same place, i.e. in Subordinate Statements?

This then leads to the following question:

When a metadata_policy_crit lists a critical custom operator, e.g. lte (less than or equal than), where does this apply to:

To the metadata_policy in the same Subordinate Statement?
To any subordinate metadata_policy claims in the Trust Chain also?

https://openid.bitbucket.io/connect/openid-federation-1_0.html#section-3-5.22

metadata_policy_crit

OPTIONAL. The metadata_policy_crit (critical) Entity Statement claim indicates that extensions to the policy language defined by this specification are being used that MUST be understood and processed. It is used in the same way that crit is used for extension JWS header parameters that MUST be understood and processed. Its value is an array listing the policy language extensions present in the policy language statements that use those extensions. If any of the listed extension policy language extensions are not understood and supported by the recipient, then the Entity Statement is invalid. Producers MUST NOT include policy language names defined by this specification or names that do not occur in metadata policy statements in the Entity Statement in the metadata_policy_crit list. Producers MUST NOT use the empty array [] as the metadata_policy_crit value.

‌

Comments (6)