cwebber2puckipedia: there's a possible workflow where the client does have its own private key kind of vaguely outlined in the spec, so that the client could be authenticated and authorized via the public key part of that pair, but you wouldn't use LD signatures with it
