@BeAware@linus@privateger@Jerry "authorized fetch" is the same validation that already ends up happening on inbox requests, but instead of being just being applied to inboxes it's instead required on all activitypub endpoints.
http signatures in general are "not native to activitypub", that's true, but any fedi software that actually cares about security will have an implementation of it anyway (as there isn't any other alternative being used, maybe aside from ld signatures which only mastodon and misskey implement). it's not that much effort to extend that validation to every other endpoint, and sign all outgoing requests instead of just ones heading to inboxes.
the only real arguments against authorized fetch is that HTTP-based caches no longer work (which can be solved by implementing a cache on the server software itself, to be checked after validation runs), and there is extra overhead on verifying signatures on every single request.
BeAware