wow, what a nothingburger this disclosure was. tldr, kind4 dms suck, and clients that dont validate sigs suck.
Discussion
relays that don't validate sigs also suck, what happens when both occur, the trail of blood is harder to track
also, you can get validation wrong as well by not generating the canonical form, the attacker can put a valid ID on the event and if you don't construct the canonical and check the ID is correct it can use a proper signature on the wrong ID and bypass that way too.
in the event handle code in #orly it always checks the ID AND signature. it doesn't have to check again once it has done that and stored it in the database tho. also. the ID doesn't actually have to be stored in the database if it calculates it after reconstituting it, but that costs more in processing time so it's better to store it.
I will need a few hours
Wait, there are clients that don't validate sigs??