> imagine a system where you could use a private key to sign things
This is how things work now, the issue is that most (if not all) of existing AP software the server is generating and abstracting the keys away from the users. But (in theory) there is nothing stopping a system where the server (e.g, mastodon.example.com) works for clients (actor in AP vocabulary) with a different domain, and requesting the actor to sign the messages before accepting in the inbox.
This is how things work now, the issue is that most (if not all) of existing AP software the server is generating and abstracting the keys away from the users. But (in theory) there is nothing stopping a system where the server (e.g, mastodon.example.com) works for clients (actor in AP vocabulary) with a different domain, and requesting the actor to sign the messages before accepting in the inbox.