@59c6c59c I'm pretty sure that host may be spoofable..
@f50dbb78 could you elaborate more on the exploit you have in mind? the flow for verifying looks like this: - somebody creates an http request to our server and signs it with an actor URL pointing to their key - our server fetches the actor URL and takes the public key out from the object - the server then verifies the signature but the public key and verifies the digest of the request as well as the date to prevent replay attacks - server resolves actor object to a web mention username
@59c6c59c hmm, maybe that's fine then!