but the HTTP Signature MAY come from either Fediverse Server instance.
This could mean that I can run my self hosted instance, create a random account and later move that to @soatok@furry.engineer signed by my instance.
This is possible so long as the move to actor-id has not been claimed.
This could be used for DoS and maybe impersonation.
I wonder if this a desirable situation.
But maybe I'm missing something.
In the spec it says the following about the MoveIdentity message
https://github.com/fedi-e2ee/public-key-directory-specification/blob/6d4b531874d9e7d6b5fe21b2559ed4d6a7a68a3d/Specification.md?plain=1#L434-L435
What caught my attention is the
This could mean that I can run my self hosted instance, create a random account and later move that to @soatok@furry.engineer signed by my instance. This is possible so long as the move to actor-id has not been claimed. This could be used for DoS and maybe impersonation.
I wonder if this a desirable situation. But maybe I'm missing something.