CA like signing flow for mediator keys #32
Description
Currently the mediator keys are generated, signed and uploaded locally using the kiebitz tool. This is acceptable for small deployments where the system owner and mediators fully trust each other. For larger systems it would be better to also implement a workflow like for the providers, i.e. a mediator can generate an initial key pair in the browser and submit the public keys for signing to the backend. The system admin could then either use the kiebitz command line tool to sign the mediator keys and also provide the necessary decryption keys for provider data to the mediator. Alternatively this could be done via a new web app (the root app).
This is a large issue and probably warrants some technical discussion before implementation.