Assuming a non-SSL client, wouldn't this make the use of digest
authentication a bit "too little, too late" in many situations?
Any mechanism that could allow the client to securely transmit a password to the server in the absence of any prior shared secrets, would have to involve some sort of public-key crypto. This would make it nearly as complex as SSL, so why not just use SSL, which provides the additional benefit of encrypting the entire session including message contents?
�Jens
