> you can reject any messages that don't validate against their signature when merging.
That's not really what I meant by "bad". I meant bad as in intent, not structural and immediately verifiable message integrity.
If all entities in the coalescing set can independently verify that a message does not meet its signature requirements, it will be rejected and idempotence is maintained.
If ONE member is somehow deceived about key validity it'll propagate the message into every other member's state, eventually.
That's not really what I meant by "bad". I meant bad as in intent, not structural and immediately verifiable message integrity.
If all entities in the coalescing set can independently verify that a message does not meet its signature requirements, it will be rejected and idempotence is maintained.
If ONE member is somehow deceived about key validity it'll propagate the message into every other member's state, eventually.