This reminds me - it'd be nice to see some discussion on interaction between HTTP-layer authentication and XMPP-layer authentication.
If a client authorizes using HTTP Basic, does that mean it then uses EXTERNAL in XMPP? M-Link's next release will do this for TLS-based auth (ie, X.509 strong auth over BOSH) - I'm not so sure what we should do for Basic, if anything.
