I think it's fair to describe the need for signing as a lemming. However, I wonder why the initial evangelists of this standard (that is, in our current post-http era) chose signing instead of API Keys.
So often these kinds of things are a reaction to some negative experience.
I would be curious too. I think it comes down to the benefits are there and they're cheap enough that they may as well recommend a more secure approach.
So often these kinds of things are a reaction to some negative experience.