Problem
The §10 signature verifier (internal/alfa/inspect/signature.go, signaturePoints) evaluates signatures[] only on the anonymous GET /papi. RFC-0001 §4.1 + §10.3 say a verifier MAY also find the signatures echoed in the discovery document, so a client can verify document authorship from the always-public discovery response without first fetching /papi.
Ask
Extend the validator to also evaluate the discovery-echoed signatures (§4.1) — confirming it matches/verifies — so the discovery surface's self-certifying property is checked, not just /papi.
- The discovery doc is already fetched (
c.Discovery / the discovery sweep in inspect); add a §4.1 signature check that reuses the §10 markl-id verification path.
- Decide the verdict semantics when discovery and
/papi carry different/absent signatures (§4.1 says discovery MUST mirror the document's).
Notes
Deferred as out-of-scope during the Amendment 9 (signatures[]) work — that cut verified only GET /papi. Enhancement, not a conformance regression.
:clown: filed with Clown 0.3.12+e27f901
amarbel-llc/clown@e27f901
Problem
The §10 signature verifier (
internal/alfa/inspect/signature.go,signaturePoints) evaluatessignatures[]only on the anonymousGET /papi. RFC-0001 §4.1 + §10.3 say a verifier MAY also find thesignaturesechoed in the discovery document, so a client can verify document authorship from the always-public discovery response without first fetching/papi.Ask
Extend the validator to also evaluate the discovery-echoed
signatures(§4.1) — confirming it matches/verifies — so the discovery surface's self-certifying property is checked, not just/papi.c.Discovery/ the discovery sweep ininspect); add a §4.1 signature check that reuses the §10 markl-id verification path./papicarry different/absentsignatures(§4.1 says discovery MUST mirror the document's).Notes
Deferred as out-of-scope during the Amendment 9 (
signatures[]) work — that cut verified onlyGET /papi. Enhancement, not a conformance regression.:clown: filed with Clown 0.3.12+e27f901
amarbel-llc/clown@e27f901