[oflor]

It looks a lot like XMPP with some of its flaws – too much flexibility and no principled stance on privacy and security issues. For example, I couldn't find how ActivityPub supports signatures of sent content, while Mastodon (one of ActivityPub implementation/services) specifies and requires it. And it's really disappointing that they don't solve the identity theft problem, leaving it all in hands of instances' admins.

[zaik]

I use Mastodon over the web-interface. Where would signatures of sent content be generated or signed? How does the receiving end verify the signature?

With XMPP+OMEMO I have verified the fingerprints of my friends by scanning their QR code.

[oflor]

I'm sorry, I don't have a good answer for you. While PGP-like web of trust is accessible on native desktop and mobile applications, it's certainly harder to use in browser. I don't think that it should be an argument against supporting it.

One of the widespread solutions in the cryptocurrency world is browser extensions, which store in its private storage the private key and allow you to use it to sign some transactions in the same browser window. I reckon it's possible to implement the same approach for PGP and store the private key and trusted public keys in order to sign and validate messages.