HTTP Basic Authentication should be optional for TAXII clients

[adulau]

As #58 is now in TAXII 2.1 spec, could we ensure that the Basic Authentication is also optional for the TAXII client. Thank you.

[gtback]

I've thought a lot about this, and while I initially supported it and thought that it made sense, I'm worried about something that (I think) @jasonkeirstead has brought up before: if a server (software product) supports only HTTP Basic Authentication, and a client (software product/library) doesn't support HTTP Basic Authentication, it will be impossible for them to interoperate.

Given the assumption that there will be some applications of TAXII that won't require authentication, we shouldn't mandate that every TAXII communication use authentication (of any form), as discussed in #58. To ensure interoperability, either the client or the server should be required to support both authenticated and unauthenticated communication. Given the points that (especially) @johnwunder made in #58, forcing the server to support it is not optimal. I think it's reasonable for clients to support both authenticated and unauthenticated HTTP, and much less troublesome than for servers.

It's perfectly fine for some closed community/instance to never use HTTP Basic Authentication, but the software they use should support it (unless it's some custom software for that community only, in which case interoperability is less relevant).

[adulau]

I understand the argumentation but I think it's just a bit too much for the adoption of a standard. We had some internal discussions about the use of TAXII 2.0+ and we have seen that a complete ecosystem of information sharing with API keys is very common without relying on HTTP Basic Authentication. So we could have compliant clients just relying on API keys without the need to implement HTTP Basic Authentication. Maybe the wording should be the standard IETF "SHOULD" for the Basic Auth? To mention that is RECOMMENDED but not OPTIONAL.