kbsso if I were to put on my pgp hat (which has sadly skewed my thinking too much) there would be well-known endpoints for locating public keys of the user/site, app, and the endpoint services. Something analagous to grabbing it from rel=key links of the user's site
