2019-04-23 UTC
# 
fr33domlover cjslep[m], we can do that with HTTP sigs too if we drop (request-target). I mean, unless I'm missing something, the (request-target) and Host headers being signed serves as a proof that the author *intended* to send us the activity, and it wasn't just forwarded by someone else. The question I'm asking myself is, how to preserve that proof without breaking the HTP sig? I guess the obvious idea is to have a