Unless I missed something we nicely issue a nonce during digest auth
(based on r->request_time) - but when the reply comes in with an
(Proxy-)Authenticate header we use the nonce provided by the client; and
do not check if it was any where near reasonably likely that we issued it.
So I guess
-> The release notes and the digest docs should
propably contain a warning that we are not
hardnened against certain replay attacks.
-> Long term we propably want to solve this; e.g.
by using a hash over a static secret or somethign.
Dw
