[OpenID] E-mail verification is MultiAuth

[SitG Admin]

Looking at RP's that have users authenticate with two OpenID's (in 
the same session) to merge accounts, I realized there is a very good 
reason to also require that the user demonstrate an ability to 
receive E-mail at their account - because, most mailboxes not being 
publicly archived, the ability to receive E-mail at an address 
implies owning the password (or other authentication measure(s)) to 
the corresponding account. An attacker might have compromised the 
user's OP, linking it with their own, but the RP already knows that 
the user has *another* "OP" - their E-mail provider. A third party is 
thus available, to vouch for the user - and, more importantly, to 
*test* whether this claim of dual Identity is true.

In most circumstances, it would seem logical to allow an OP to vouch 
for addresses at its own domain. But if an address *is* at the same 
domain as the OP, this suggests that the E-mail provider no longer 
counts as a "third party" for purposes of requiring attackers to 
compromise an account *apart from* the OP to steal someone's Identity.

A theft which should not be as simple as "knowing the E-mail address 
of the person you wish to impersonate".

-Shade