I'm interested to know more about how DIGEST works. If I'm not mistaken, with this approach authentication will be done using MD5? But if transport-guarantee equals to NONE, then this authentication can still be intercepted in the middle of the network?
Well, if you're really interested in the details, have a look at RFC 2069 and RFC 2617, which define how Basic and Digest authentication works.
SSL has no impact on authentication, because the authentication information is part of the HTTP headers, which are not encrypted by SSL. Yes, the digested password is known if the transmission is intercepted, and could be used for a playback attack. But the password is still secret.
I think I understand it more clearly now. So DIGEST is still doing authentication for the password. The password is still a secret. But transport-guarantee:NONE still keeps the password secret eventhough it can be intercepted.
Originally posted by Ulf Dittmer: [QB]transport-guarantee specifies how all traffic is transferred over the wire - either unencrypted via HTTP (value of NONE) or encrypted via HTTPS (value of CONFIDENTIAL).