nostr:npub175xmk7p9dul7guytswp6gcm0hszw24mzds2r54nup97js8nc54aqdv2fat could you elaborate more on the exploit you have in mind?

the flow for verifying looks like this:
- somebody creates an http request to our server and signs it with an actor URL pointing to their key
- our server fetches the actor URL and takes the public key out from the object
- the server then verifies the signature but the public key and verifies the digest of the request as well as the date to prevent replay attacks
- server resolves actor object to a web mention username