I thought about this for some days. It's basically the open Id connect standard. Problem remains: If app B doesn't have the PK, app B cannot sign events. To achieve this, we need the relays to act as authorisation servers like in oauth2.