No PKI certificates/x.509 used here.

Why not? Doing so might:

  1. Tie us unnecessarily to other data, perhaps saying Tiina has to be a person (instead of perhaps a software agent)
  2. Connect in private, personal data we don't need

This approach lets applications merge in whatever data might relevant, and filter out whatever is irrelevant.