I propose that the user-agent MUST choose the strongest auth-scheme it understands. This permits the server to put Basic first for old browsers (if it finds Basic acceptably secure). The order really doesn't matter, since the server is only supposed to offer minimally acceptable schemes.