I’m trying to better understand Activitypub and I understand that there’s a signature to avoid forgeries of known accounts.
However I’m having trouble understanding what prevents a malicious actor from sending a private spam message supposedly from a never before seen account name with valid generated key pair but for a domain they’ve never bought since there is no DNS lookup or test.
Thank you!
Maybe… I am working on an AP implementation that will reject anything not signed with VCDI because it has such desirable properties. In my implementation all crypto is done client-side only, so the server can’t reasonably be expected to do HTTP signing.