Do some implementations infer actor from HTTP Signature keyId?

Hi all! I have my own (small) AP implementation,, and I saw a bit of surprising interop behavior the other day. I was debugging a bug on my end where it omits actor entirely. It sent a Follow without actor to a Mastodon instance, and surprisingly that activity still worked, and the user showed up on the target’s following page.

Full activity below. Any idea what happened? My only guess is that the missing actor was inferred from the HTTP Signature keyId.

  "@context": "",
  "id": "",
  "url": "",
  "type": "Follow",
  "object": "",
  "published": "2022-11-15 11:04-0800",
  "content": "<p>Followed <a class=\"u-follow-of\" href=\"\">Anthony Ciccarello</a> on <a href=\"\"></a></p>",
  "to": [

Yes, it’s quite possible that Mastodon infers actor ID from key ID in this case. But I think the correct behavior is to compare signer and actor and reject activity if they don’t match.