I don’t think that is the case. Signatures are also included in the JSON payloads during inbox posts as a mechanism to allow activities to be relayed with their content still verified. There is another thread, Making sense of RsaSignature2017, that I think you’re participating in.
It isn’t true or accurate to say that it doesn’t matter when certificates change. Certificates are actively checked against revocation lists. Not only is there the OSCP system built into certificate infrastructure, but there are revocation list systems actively developed by Google, Mozilla, Apple, and others for the purpose of actively checking certificate revocation.
It is also worth pointing out that Apple, a member of the CA/Browser Forum, is also mandating 13 month expiration times for all certificates starting in September. Any certificates that have an expiration time of longer than 13 months will be considered invalid in Safari and the underlying components using Safari in macOS, iOS, etc. Google attempted to introduce a similar measure at a CAB meeting last summer, but it didn’t pass.
Not that everyone should do what Google and Apple does, but it is generally accepted as a bad practice to have keys that don’t expire. ActivityPub, and the systems that build upon it, should support key expiration and rotation in a way that supports the longevity of the community and it’s users. Not having unique key identifiers makes that more difficult.
I was just quoting you? I may have misunderstood what you meant.