Hi Frits,
Your answer was right according to SAI but explaination was not the same.
I had marked the answer as D as I read the line
These devices have tight security requirements in their mini-browsers with locked down policies and certs.
SAI says
Java Servlet Specification, Version 2.4 (SRV.12.5)
Option A is incorrect because the user's credentials are sent in a simple base64 encoding in a request header.
Option B is incorrect because the user's credentials are sent in plain text in the request body or query string.
Option C is correct because the user's credentials are sent in a digest that is a stronger encoding than base64.
Option D is incorrect because this authentication mechanism requires the "user" to have a public key authentication. The devices will not allow them to add the SSL certs.
So what do you think?