Daniel-Constantin Mierla writes:
If I haven't missed something, Juha said it is not good to ask the user again for introducing the password in the (soft)phone app. The hashed response (with nonce, realm, password) has to be sent always over the network, no matter the stale parameter value. So it is just the inconvenience of the person to type the password, it doesn't impact at all what is sent over the network.
I tried to say that if UA send REGISTER request that includes Authorization header and gets back 401 WWW-Authenticate header without stale=true, the UA MUST ask the user to enter authentication username/password again, even when there is nothing wrong with them.
In practice that is in many cases impossible, e.g., when the UA is in user's pocket. That is why it important that the server includes the flag in 401 response.
-- Juha