OpenID Federation eliminates dependence on Certificate Authorities by having each entity publish its own signing keys inside self-signed JWTs (Entity Configurations). Trust derives from federation hierarchy signatures, not from CA-issued certificates. **Mechanism**: Each entity's JWKS is embedded in its Entity Configuration. Superiors cryptographically endorse it via Subordinate Statements. Verification chains up to a Trust Anchor whose keys are distributed out-of-band — replacing the CA's role with a federation-scoped operator. **Operational advantages**: - Entities control key rotation without CA re-issuance delays - Key compromise limited to federation scope (no global CA incident) - Historical Keys endpoint provides revocation without CRL/OCSP infrastructure - Federation-specific trust boundaries replace global CA trust **Failure modes**: Trust Anchor key compromise still requires out-of-band notification. Mismanaged `authority_hints` or missing `exp` rotation creates stale chains. **Cross-domain applications**: - **IoT device identity**: Edge devices self-certify against a device manufacturer's trust anchor (same pattern) - **Supply chain provenance**: SLSA/in-toto use similar self-attested signing chains - **Decentralized identity (DID)**: DIDs are the logical extreme — self-managed keys with no hierarchy above the entity itself