[OpenID] Password age and password reset

[SitG Admin]

>The key is that as an RP, you have to be able to shut down "bad 
>accounts" and if that account is an OpenID (or any other federated 
>identity), then there is no way for the user (good or other wise) to 
>reset things. They are locked out completely. Hence, in order to 
>enable a good experience for users, the RP would like the OP to do 
>something to prove the user is really "good" before the RP will let 
>them back in. This does of course not protect against the attacker 
>going through the hoops to prove the attacker is "good", but I'd say 
>that's out of scope for this proposal.

My policy was to simply disable the account permanently, and display 
a message about the user needing to reactivate it by communicating 
through already authorized channels. The fallback was to disable the 
account for a minimum length of time, say 2 weeks, during which ANY 
user supplying the old credentials could indicate that their ability 
to communicate new credentials and keep those private would be 
impaired, and/or their connectivity was disrupted, and the account 
should be kept disabled *permanently*.

-Shade