[OpenID] Why spoofing and OpenID look so much alike

[SitG Admin]

>Should opnenid auth have the mean for a sp to force the op to 
>challenge (and thus renew the persisted cookie)?

Related - I've been considering a PAPE proposal for "time since user 
last changed credentials" (to be suspicious if the user *just* reset 
their password a few minutes ago - and MORE suspicious if you 
suddenly get a lot of users in a row whose passwords were recently 
reset!). Bad for actual passwords, though, since it could discourage 
users from regularly changing it.

So far I haven't proposed it; I'm not sure it belongs in PAPE, even 
if it *is* authentication-related and *could* be used to detect 
(possible) attackers exploiting sudden E-mail access (or 
guessing/sniffing the master password at the OP) to force the user's 
password into a state they know.

-Shade