Dale:
I think you have made a very good point for not storing user
name and password in the CPA. However, the CPA should
at least indicate whether basic authentication is to be used
plus some reference to a generalized credential container
where applicable, if the CPP/A spec is to be aligned with the
MSG spec.
Cheers,
-Arvola