16 Jul
2009
16 Jul
'09
10:16 p.m.
El Jueves, 16 de Julio de 2009, Klaus Darilion escribió:
Iñaki Baz Castillo wrote:
Hummm, yes it could... good point :)
--
Iñaki Baz Castillo <ibc(a)aliax.net>
2009/7/16 Klaus Darilion
<klaus.mailinglists(a)pernau.at>at>:
I do not understand this. If the nonce was already use, the proxy could
respond immediately with 407 and "stale=true" without checking the password
Iñaki Baz Castillo schrieb:
What I mean is that, response calculation should be done even if nonce
is reused. If not, there is no way to send "stolen=true" in 401/407. However, to anounce "stale=true" in
401/407 response the
credentials must be verified.
It would be sufficient to check if the nonce is reused, response
calculation could be done afterwards