trwnh.com/wiki.hugo/content/tech/spec/activitypub/extensions/http-signatures.md

386 B

draft 8 cavage

even in the updated HTTP Message Signatures which supercedes the old HTTP Signatures, the keyId resolution to get the actual key material is unspecced, it's up to app logic

so you need to clearly specify somewhere such rules. like "keyId must point to a json-ld object with type sec:Key and must have sec:owner pointing to an activitypub actor" or something like that