intertwingly

James Clark: Overall I think we can do much better than S/MIME by designing something specifically for HTTP.

James' third reason looks like a killer one to me.  One minor caution: There are scenarios where it is convenient for servers to be able to stream responses, and most signing algorithms are designed to accommodate such requirements.  This would tend to indicate that a design that tacks signatures on the end would be preferred.  YMMV.