The payment protocol doesn't *require* signed certificates, it just gives
the option of using them.

However if you don't have some kind of cryptographic proof of identity,
what stops me putting your name and face into my payment requests and
claiming to be you?