The issues are basically in two areas.
(1) You should be using HTTP Digest Authentication (rfc2069), not HTTP Basic
Authentication. Basic authentication provides zero security (unencrypted
username and passwords are sent over the wire). Digest authentication
provides moderate security. So reference Digest authentication is section
5.5. The headers used for Digest authentication are the same (Authorization,
Proxy-Authorization, WWW-Authenticate, Proxy-Authenticate), but they have
different values. Since the paper doesn't go into details, the other sections
should be fine as they are.
(2) Not all authentication / authorization is done via HTTP. For example, the
connection may be made using SSL. In that case, SSL provides the
authentication needed. While the sections are generally good about saying
HTTP authentication is used when needed, somewhere the fact that other
security mechanisms are used should be made explicit.
And, of course, section 7 (security considerations) needs to be rewritten, but
the security group should do that.
/John