On Oct 5, 2007, at 8:53 AM, Peter Saint-Andre wrote: > So I would vote for (i) don't include the password element (and > make it deprecated ASAP). +1. The client should prompt for a password if it gets back a 401 from the room. Just like HTTP.