2009/7/16 Klaus Darilion
<klaus.mailinglists(a)pernau.at>at>:
Iñaki Baz Castillo schrieb:
However, to anounce "stale=true" in
401/407 response the
credentials must be verified.
It would be sufficient to check if the nonce is
reused, response calculation
could be done afterwards
What I mean is that, response calculation should be done even if nonce
is reused. If not, there is no way to send "stolen=true" in 401/407.
I do not understand this. If the nonce was already use, the proxy could
respond immediately with 407 and "stale=true" without checking the password
regards
klaus