On 7/17/06, Eric Rescorla <[EMAIL PROTECTED]> wrote:
Right. My point was merely that it's doable as a matter of programming.
That's debatable, from an HTTP server's perspective, because the server must check (and temporarily store) the whole request before it can tell if the client knows the password. Not a good way to handle video uploads. Other authentication protocols, such as Amazon S3 auth, include the Content-MD5 header in the digest calculation so the server only has to check message body integrity after it has verified that the client knows the password. -- Robert Sayre "I would have written a shorter letter, but I did not have the time."
