On 30 Dec 2013, at 6:58 PM, Stefan Fritsch <s...@sfritsch.de> wrote: > Does anyone disagree with the below change (not yet merged to 2.x > branches)? There is a similar paragraph in howto/auth.xml that I > intend to remove.
I would say digest authentication is insecure because it (to my knowledge) forces you to store the password in cleartext. Encrypt the password at rest, encrypt over the wire with basic_auth+ssl. Regards, Graham --