@kopper @hazelnoot @cwebber @smallcircles i tend to favor an approach where you can negotiate/discover which auth-schemes are allowable via WWW-Authenticate header and then you use an Authorization header with that auth-scheme. think of http sigs as being most of the way to a fully defined auth-scheme, we just don't include some header like Authorization: Signature sig1 or whatever (which requires specifying how to go from keyId to some other associated identity)