also, you can get validation wrong as well by not generating the canonical form, the attacker can put a valid ID on the event and if you don't construct the canonical and check the ID is correct it can use a proper signature on the wrong ID and bypass that way too.

in the event handle code in #orly it always checks the ID AND signature. it doesn't have to check again once it has done that and stored it in the database tho. also. the ID doesn't actually have to be stored in the database if it calculates it after reconstituting it, but that costs more in processing time so it's better to store it.