[OpenID] Password age and password reset

[SitG Admin]

>In what I am proposing the transfer is intermediated by the browser,
>so not covert.

A clever (and even marginally skilled) attacker will have all 
redirects intercepted and waiting on their approval; if they can 
learn of the RP's suspicion *and* block the OP from learning about 
it, the transfer would be worse than useless: it would only serve to 
annoy legitimate users.

-Shade