In the context of signing keys published in the well-known endpoint, it is considered a security best practice to ensure that each entity within the federation has at least two keys certified by the trust anchor: one active key and one backup key.

This setup allows the entity to perform secure key rotation in the event of an incident by deactivating the primary key and switching to the backup key, without negatively impacting clients. This ensures continuity even if clients have cached the entity configuration or the trust anchor configuration, avoiding potential validation issues during the transition.