Add footnote about actor/keyId resolution during HTTP Signature processing (#1840)

* Add footnote about actor/keyId resolution during HTTP Signature processing
* Use list for key types

Author: mjankowski

content/en/spec/security.md

@@ -131,7 +131,7 @@ Mastodon verifies the signature using the following algorithm:
 
 * Split `Signature:` into its separate parameters.
 * Construct the signature string from the value of `headers`.
-* Fetch the `keyId` and resolve to an actor's `publicKey`.
+* Fetch the `keyId`[^keyId] and resolve to an actor's `publicKey`.
 * RSA-SHA256 hash the signature string and compare to the Base64-decoded `signature` as decrypted by `publicKey[publicKeyPem]`.
 * Use the `Date:` header to check that the signed request was made within the past 12 hours.
 
@@ -205,3 +205,7 @@ To verify a signature, Mastodon uses the following algorithm:
 * Strip `type`, `id`, and `signatureValue` from the `signature`, leaving only `signature[creator]` and `signature[created]`.
 * Base64-decode the `signatureValue` and verify it against the public key in `signature[creator]`.
 
+[^keyId]: The `keyId` does not reference the `publicKeyPem` property (the key material). It is a URI for the `publicKey` object associated with the actor. That public key object has an owner property that must be the URI of the owning actor. The extracted `keyId` value is processed as follows:
+
+    * When the `keyId` is an actor and fragment (`actor#key`), the owner points back to the same document (actor).
+    * When the `keyId` is a key (`/key`), the owner points back to some actor, and that actor should point back to the same key (establishing a bi-directional claim).