I meant encrypted for banking, of course. The key point being that the passwords are readable. Two-way, vs the one-way hash discussed before. Maybe I didn't explain myself properly.
Web site passwords might be one-way hashed, I don't know, but telephone banking passwords must be displayed on screen for the operator to read.
"Use of HTTP Auth --- digest or otherwise --- at all --- a doc-able finding."
Uh-huh. So, your photocopiers have SSL certs do they? More likely they have nothing at all. I wonder if that's a "doc-able finding", whatever that is, presumably something bad.
This obsession with HTTP Auth being "evil" is laughable. A lot of the time it's absolutely fine. Hell, a lot of the time it's overkill.
And that rule, if true, is a Dilbert-esque joke. You can't legislate security by banning arbitrary protocols like that. Yes SSL is more secure but other methodologies are still useful, used appropriately. It's like the army banning pistols because machine guns are "better".
