@julian @silverpill
-
> treat the resolved actor via HTTP signature to be like an API token, it's basically a fancy password!
yup, exactly. imagine if we used out-of-band bearer tokens. same principle. same with DPoP. the keys are all custodial in most cases. any “security” comes from the bidirectional link between actor and key (and it’s not much, but it’s barely enough to establish an identity at all)