There has been some recent discussion on the AOLserver list about
exposing the necessary API hooks so that Digest Authentication could
be more easily added. Someone mentioned there that Digest Auth is
likely to be needed for many server-to-server protocols that are
becoming more popular. (I don't remember if that included just WebDAV
like Dave mentions above, or other stuff too.) So on an OpenACS site
maybe human users would never use it, but various web services would.
For actual human beings using an OpenACS website, AFAICT SSL on the
login page is by far the best solution, and OpenACS already has a very
good solution for this, and indeed has had it for many years, since at
least ACS 4.0 if not earlier. Andrew S. seems to dislike SSL for this
and states that he would prefer Digest auth. without SSL as the
default for the login page. Frankly, I don't understand why, his
expressed preference there makes no sense at all as far as I can see.
I don't know enough about Digest Auth. to understand Tom's argument
that it has different semantics than OpenACS login and so can't work
for OpenACS login. If someone could explain that, I'd like to hear
it.
