also, what makes you think that a client sending an auth envelope with a challenge is not a requirement????