(In reply to comment #4)
> The rationale was that no-one would ever use WebDAV over an unencrypted
> channel, because otherwise the equally sensitive private data would be
> visible to eavedroppers.
> 
That's a bold assumption. If your usecase doesn't follow a Bell LaPadula
security model but rather Biba, then you don't mind exposing the content but
the credentials to set the content. Think announcements. I don't mind everyone
reading public announcements I store via CalDAV, but I don't want everyone to
be able to set or alter these.

> Do you use https?
> 
No. Not just yet. I was going step by step.

> Sending the credentials in advance could (should?!) be limited to https.
> 
Hm. Maybe.
I see usecases for sending credentials besides the server being okay with no
credentials. I.e. the announcements scenario where it's perfectly fine to read
a calendar, but if you are authorized, you get a different calendar.


> I'm out of ideas. Can you recompile from source with the Basic
> authentication disabled?
yes. Give me a couple of days and feel free to nag me.

> In the meantime I'll try to reproduce this with my own setup of
> Apache+DAViCal.
> 
Note that Apache is enough. In fact, any webserver that requires Digest Auth
should do. I haven't checked whether there is a simple Python implementation
but there should be one.