Here is a principle for a social web that should be kept in mind:
Users should not sign documents
Everyone makes mistakes. We are all human after all. The difference between a mistake and a signed mistake could be huge.
Suppose that we have 2 wonderful people, Alice and Bob. Alice and Bob are friends. So Alice shared some photos with Bob, by signing a document saying that Bob has access to her photos.
However, their friendship ends when Alice realizes that Bob is not a wonderful person, and a rather mean one too. So she revokes that document.
Bob is furious, and makes a post saying that Alice is hysterical and publishes the document as a proof that she liked him at some point, and everyone can confirm that it is genuine. Now Alice is some kind of an emotionally unstable person with sketchy motives.
Of course, she could unlink her signing key from her profile, but then she loses all other relations based on that public key. Will she choose to do that?
If we want a web that works for anyone, this abuse should not be possible. So, what can we do? I think that it is OK for apps or your self-hosted identity provider to sign on behalf of yourself, because you can delete the app key whenever you want without losing your access to your friends. It is somewhat OK to sign things as part of connection metadata, because these informations will typically not be saved forever (except for the NSA). However, we should take a firm stand against users signing documents as a basis for linking of social data.