"Robert Sayre" <[EMAIL PROTECTED]> writes: > On 7/17/06, Eric Rescorla <[EMAIL PROTECTED]> wrote: >> >> Right. My point was merely that it's doable as a matter of >> programming. >> > > That's debatable, from an HTTP server's perspective, because the > server must check (and temporarily store) the whole request before it > can tell if the client knows the password. Not a good way to handle > video uploads. > > Other authentication protocols, such as Amazon S3 auth, include the > Content-MD5 header in the digest calculation so the server only has to > check message body integrity after it has verified that the client > knows the password.
Sure. But then you don't *have* to use auth-int for this application. Note that TLS doesn't have this problem. -Ekr
