<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><br></div><div><br></div><div><br></div>yes, but this is not true for digest auth. there are actually very few client environments that fully support digest <span class="Apple-tab-span" style="white-space:pre">        </span>out of the box.<div><br></div><div>so i would say, this argument doesn't count as digest is not any less complicated to use then any other more sophisticated auth mechanism.</div><div><br></div><div>I agree to the TLS argument: for most other auth mechanisms i looked at it seems to be requirement indeed. </div><div>But can you elaborate why we cannot ship certificates (out of the box) that need to be replaced in production environments?</div><div><br></div><div>this would give us TLS and push the need to custom certificate creation beyond the out-of-the-box scenario.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><div><div>On 10 Dec 2013, at 19:00, Darran Lofthouse <<a href="mailto:darran.lofthouse@jboss.com">darran.lofthouse@jboss.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;">The next issue is that by using standard HTTP authentication mechanisms standard APIs can be used in many programming languages to actually call the management interface without needing to know about alternative authentication schemes.</span></blockquote></div><br></div></body></html>