Current specification lacks clear guidance on how subordinate entities should handle key rotations and certificate updates from their superior entities (TA or Intermediates).

Key rotation is mentioned in Entity Onboarding and X.509 Certificate Management Operations Sections, but doesn't specify:

• How often subordinates should fetch their own Entity Configuration from superiors
• How to detect superior key rotations
• How to handle certificate updates in the x5c field
• Priority rules when both Subordinate Statement and EC contain the same public key

Proposed Approach

Add a requirement that subordinates MUST fetch their own Entity Configuration from their immediate superior every 24 hours to:

• Detect superior key rotations
• Check for offboarding status
• Update X.509 certificates in their EC's x5c fields

Use Case 1: Superior Key Rotation

1. TA/Intermediate issues CRL to revoke old key
2. TA/Intermediate adds new key to its EC, signs with new key, publishes updated EC
3. TA/Intermediate re-issues all subordinate certificates with new key, makes them available via fetch endpoint
4. Subordinate fetches its own EC periodically, detects certificate change
5. Subordinate updates x5c in its EC with new certificate

Note: When Subordinate Statement and subordinate's EC both contain the same public key certified by the superior, which certificate in x5c has priority? --> Subordinate Statement takes priority.

Use Case 2: Subordinate Key Rotation

1. Subordinate submits CSR (PKCS#10) to superior
2. Superior issues new certificate, publishes via fetch endpoint (new key added alongside existing)
3. Subordinate fetches its trust chain, retrieves new certificate
4. Subordinate adds new JWK with new certificate in EC's x5c field