How does ActivityPub authorization work?

[snarfed]

Hi! Apologies if this is already answered somewhere, I didn't see it on https://a.gup.pe/ or https://github.com/immers-space/guppe/wiki/Guppe-Groups-FAQ .

I run an ActivityPub service that occasionally gets inbox deliveries activities from Guppe groups. Great! I'm not seeing a way to check authorization for them, though. They include a valid HTTP Signature from the group actor, but the activity's actor and the object's attributedTo are the original author, and I don't know that the group actor is authorized to post on behalf of them.

The most common way to authorize this kind of AP inbox forwarding is with an LD Signature. Eg this is how Mastodon does it. Any chance you all would consider including LD sigs from the original activities, if they exist?

Here's an example of an activity we received from a.gup.pe recently. It included a valid HTTP Sig by the group AP actor https://a.gup.pe/u/allstartrek, but the actor and attributedTo are https://mindly.social/users/joewynne:

{
  "type": "Create",
  "id": "https://mindly.social/users/joewynne/statuses/112499304245297194/activity",
  "actor": "https://mindly.social/users/joewynne",
  "cc": [
    "https://mindly.social/users/joewynne/followers",
    "https://a.gup.pe/u/allstartrek",
    "https://a.gup.pe/u/allstartrek/followers"
  ],
  "object": {
    "type": "Note",
    "id": "https://mindly.social/users/joewynne/statuses/112499304245297194",
    "url": "https://mindly.social/@joewynne/112499304245297194"
    "attributedTo": "https://mindly.social/users/joewynne",
    "to": "as:Public",
    "cc": [
      "https://mindly.social/users/joewynne/followers",
      "https://a.gup.pe/u/allstartrek",
      "https://a.gup.pe/u/allstartrek/followers"
    ],
    "content": "...",
    "published": "2024-05-25T02:12:33Z",
  },
  "published": "2024-05-25T02:12:33Z",
  "to": "as:Public"
}