"HTTPA assumes the client is trusted and the server is not"
Unless I'm much mistaken, at least in the commercial domain a big proportion (if not the majority) of attacks are initiated client side.
The real problem still remaining to be solved is how to ensure secure processing on an untrustworthy client.
Biting the hand that feeds IT
