Why REST security doesn't exist