Suppose you don't want your passwords transmitted in the clear after SSL is terminated by a proxy. Has anyone developed a secure way for the client to prove they have the password, rather than transmitting it in the body of a post?