Are you talking about making sure that an incoming message is not corrupted, or are you talking about making sure the sender is who they say they are, or both?
@jwf@naturzukunft I'm writing a book about ActivityPub. I am working on the section of the chapter about inbound activities that deals with data integrity checks. I needed an example URL to show the importance of checks. In the book, I use the text, "Data integrity is no big deal, don't bother checking" for this Note.
1. Verification that the server is who they say they are. 2. Verification that the identity is who they say they are. 3. Some way of checking to see if the message was tampered with en route.
Some possible solutions are:
A. Identity proof via public and private keys or some other method, for both the server and the identity. Do not depend on DNS since the DNS cache can be poisoned.
B. Double encrypt messages. First, the platform encrypts the message, and then it sends that message over HTTPS, which encrypts it a second time.
C. Send a checksum or use some other method for verifying that a message has not been tampered with. (Although, if you double encrypt the message, you probably don't need this.)