OK #radical idea. No signatures, no certificates. Deniable authentication between peers, and nothing else, but with relaying. If Alice sends you Bob's feed, you just blindly trust that it's Bob's feed, allowing Alice to MITM you and Bob whenever she wants. Crazy, right? Well, if you're also peering with Bob, then you can tell if Alice is lying...
Let's say you peer with Alice and Bob, and Alice sends you Claire's feed. You just blindly trust that it's Claire's feed, but then Bob also sends you Claire's feed. If Bob and Alice send you different feeds for Claire, but they also send you their own feeds, you can tell if Bob is lying about Alice's feed. If he isn't, then that's 2:0 odds he's telling the truth about Claire, with only 1:1 odds for Alice, since you can verify she lies once, tells the truth once (her own feed).
Short of an outright Sybil attack, which can be defeated by steganography or having just one single peer outside the adversary's control, you can estimate whose version of someone's feed is the legit version by looking at the odds that your known peers are telling the truth. That means you can basically get someone's feed without ever connecting to them, or verifying their identity at all. You can build trust with them, without any signatures or even authentication.
@cy Both Alice and Bob might get Claire's feed from Dave, and only Dave, who messes with it.
Signatures make it easier to mitigate against more difficult to control scenarios.
However, *authentication* can be mostly skipped either way. You can trust Claire's signature whether or not you verify that the private key is in possession of any particular individual.
@jens The problem with signatures is Claire reveals something forbidden to me, and then the authorities catch me and beat me with a rubber hose until I give them her signed message. Then they beat her with a rubber hose until she gives them her private key. Now they have proof that she was the one who sent it, and can continue beating her with rubber hoses. If she didn't sign it, they could only guess which peer she was.
@jens Or more likely I sold out to them long ago, and have been feeding them her signed messages for the past 3 months. I can't tell who she is with or without her signature, but if someone gets her private key, then they can, unless she doesn't sign her posts.
@cy You can't tell who she is with the signature, either, you need additional (signed) info. You can only tell that multiple pieces of content were authored by the same source. You know nothing else about the source without more authentication.
If the source is already compromised, that could lead to issues as you describe. The easy thing here is to rotate keys.
A private instance for the Finkhäuser family.