Earlier today I read through RFC 2617 (HTTP Digest Access Authentication) and was pretty impressed by a number of parts about it, particularly how the server can reply that the nonce value is stale and the client will reply without prompting the user for the password again. That was one of the things that'd always bothered me about HTTP-based challenge-response in the past, but I just hadn't taken the time to more than skim the RFC before.
But .... I wonder if this spec is implemented properly in enough common browsers. Does anybody know?
I could do some really cool shit with this, but I don't want to waste my time if it's going to only 80% work in 95% of browsers. Or, I could just go all 1995 and put up "This site best view with Netscape 12.0!" all over my sites.