[wlockiv]

I think it's fair to describe the need for signing as a lemming. However, I wonder why the initial evangelists of this standard (that is, in our current post-http era) chose signing instead of API Keys.

So often these kinds of things are a reaction to some negative experience.

[mfbx9da4]

I would be curious too. I think it comes down to the benefits are there and they're cheap enough that they may as well recommend a more secure approach.