Regarding Draft -08...
Remove section 13. Replace section 14 with a more generic statement about APP being subject to the same security considerations as RFC2616 with a constraint that if Basic Auth is used, TLS SHOULD also be used.
APP is an HTTP spec. HTTP already has defined authentication mechanisms. There is no need for APP to specify specific authentication mechanisms. CGI authentication is valuable, but best done as a separate spec deriving from RFC2617.
Remove section 13. Replace section 14.
14. Security Considerations Implementations of the Atom Publishing Protocol SHOULD be protected using HTTP Authentication mechanisms as defined by or derived from [RFC2617]. If implementations choose to implement support for HTTP Basic Authentication, they SHOULD support encryption of the session using TLS [RFC2246]. The security of the Atom Publishing Protocol is subject to the same security considerations as discussed in [RFC2616] and are entirely dependent on the strengths and weaknesses of the implementation and chosen authentication and transport security mechanisms.