Eric,
thanks for the good summary (with which I agree).
Obviously it's a good idea for IETF specs that are based on HTTP to talk
about authentication options. What's really not clear to me why it is
expected that this exercise should be repeated for each and every
application of HTTP.
Wouldn't it make a lot more sense if there'd be a single BCP about the
(currently) best way to do HTTP authentication (understanding that this
may be a moving target), and let other specs such as AtomPub reference it?
Best regards, Julian
