OpenID Assertion Quality Extension - Draft

[George Fletcher]

+1 simple and straight forward

Just curious about uses cases where the required authentication level 
changes over time.  For instance, a use case where to view my stock 
portfolio just requires "password", but doing a trade requires 
"voicebio".  Is the expectation that authentication events can be 
treated as "standalone"? or that it's the RP's responsibility to manage 
the combinations based on the identifier?

One final question... Is it valuable to provide a way to request two or 
more authentication methods be employed in the authentication event?  
For example, administrators of a site must use both "password" and 
"hardotp".  Everyone else just needs "password".

Thanks,
George