Daniel-Constantin Mierla writes:
With the above considerations, to make it specs compliant, the code has to be extended that even in the case of expired nonce, the auth_db (and the other auth* variants) has to go further to compute the response and if there was a match, then add stale=true. As it is right now, if someone sends an expired nonce with an incorrect password, the stale=true is added, even it shouldn't as per specs.
I would consider that a serious bug that needs to be fixed. stale=true should be set only in case authentication would otherwise succeed, but nonce has expired.
After the fix, I don't see any reason why stale=true could not be set.
-- Juha