From a review of the HTTP Signature Auth Scheme by @mnot:
You don't define a corresponding challenge. Your use cases might not require a 401 + WWW-Authenticate, but have you considered that some will want this?
From @msporny:
Yes, we did consider it. We wanted this to be a mostly "you're verified or you're not" mechanism. We didn't really want any sort of back-and-forth negotiation. That said, it's a weak argument because you probably want to be able to notify clients that they could access the resource if they provided a signature. If we decide that this is going to use the "Authorization" header (and not some new kind of header), we'll define the WWW-Authenticate bits of it.
From a review of the HTTP Signature Auth Scheme by @mnot:
From @msporny:
The rest of the thread can be found here: http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0019.html