Re: [Ietf-http-auth] Updating RFC 2617 (HTTP Digest) to use UTF-8

Ingo Struck wrote:
> - some netscape descendants tend to use a stale nonce
>   after the server sent an updated nonce

As I've pointed out many times over the past several years: 2617 
contains _conflicting_ language regarding whether H(A1) should be 
recalculated upon receipt of nextnonce when using MD5-sess. It would 
take one short sentence to resolve this ambiguity one way or the other.

With conflicting language in the spec, it's no wonder that these 
implementations get it "wrong" -- they have to choose between two 
mutually exclusive statements.


Received on Sunday, 15 October 2006 17:04:56 UTC