I have a few notes.
First, I don’t think it makes sense to say that the object is authentic. Rather, it’s safer to say that the ownership relationship is authentic.
Second, consider an ActivityPub API client that implements a drawing tool. You can create, update, and delete pictures. For an actor https://social.example/user/evan, The client might push Create activities into the actor’s outbox like this:
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "Create",
"to": "as:Public",
"object": {
"type": "Image",
"id": "https://drawing.example/FJIhGP8Jp7CMWTO5hrjIW",
"url": {
"type": "Link",
"mediaType": "image/svg+xml",
"href": "https://drawing.example/files/5CvE73Yib6pDJXuZPaGaI.svg"
}
}
}
Fetching that drawing might return something like this:
{
"@context": "https://www.w3.org/ns/activitystreams",
"attributedTo": "https://social.example/user/evan",
"to": "as:Public",
"type": "Image",
"id": "https://drawing.example/FJIhGP8Jp7CMWTO5hrjIW",
"url": {
"type": "Link",
"mediaType": "image/svg+xml",
"href": "https://drawing.example/files/5CvE73Yib6pDJXuZPaGaI.svg"
}
}
This is an authentic ownership relationship, but the domains don’t match.
One way to confirm this ownership is by finding the Create activity in the actor’s outbox. That’s a linear search through a collection of O(10^5) or more, with pages of 20 or 100 items at a time. There’s an issue in AP for making this kind of search faster. membership endpoint · Issue #462 · w3c/activitypub · GitHub
Finally, I think you should change “MUST discard” to “MAY discard”. There may be other ways to determine the owner of an object, besides the one above or the ones listed – for example, a trust metric on the sending server. Leave it open to other uses.