[OpenID] Password age and password reset

[SitG Admin]

>Well, in the original proposal, the RP would tell the OP to tell the 
>attacker to change the password. I still don't quite understand the 
>proposal and the attack scenarios that it's trying to defend against.

Looking back at it, I think now the idea was that passwords which 
have been the same for too long are more likely to have been 
guessed/stolen. My original interpretation was that RP's would care 
if an OP said "This user authenticated with a password that was 
changed five minutes ago." (indicating that the attacker had tried to 
lock the legitimate user out of the account, and was then trying to 
exploit their stolen account before the user found out and reported 
it).

-Shade