I need to restrict access to a web service interface to subscribed
users of the service.

Many of the posts I looked at on this list and the REST wiki refer
to RFC 2617 for further information on implementing http
authentication which, while clarifying my understanding of basic and
digest authentication schemes, does not address their specific usage
in a RESTful application.

Basic authentication seems to be out unless used in conjuction with
SSL, and I'm concerned that use of SSL could hurt scalability of the
application.

Digest authentication looks good, but if I understand correctly,
doesn't appear to be well supported across browsers thereby placing
restrictions on browser-based access (not that this is likely to be
the primary kind of client accessing the service).

Ideally whichever security mechanism is selected to secure the
service it should be relatively easy for developers to work
with.

Would anyone care to share their views/experiences in implementing
security for RESTful web services?

Cheers
Adam