[security] PAPE Policy for RPs to force authentication without browser cookie

[Nate Klingenstein]

Dick,

> I am suggesting changing the spec for the privacy reasons you  
> stated. The RP does not need to know when the last auth was, just  
> that it met the RP's policy.

How can this be done if the request isn't signed?  Can't a user  
presenting the request change the max_auth_age to whatever it wants,  
or omit it entirely?  "Yes, I met your requirement" doesn't mean much  
if the requirement itself can be trivially changed by the client and  
the RP has no indication this occurred.

Confused,
Nate.