[security] PAPE Policy for RPs to force authentication without browser cookie

[SitG Admin]

>Another case is where the RP specified max_auth_age=999999999999. 
>The PAPE spec requires the OP to respond back with the the time the 
>user last authenticated, if the max_auth_age is greater than the 
>duration of the user's current session with the OP. This effectively 
>gives the RP a way to find out when the user last signed in, which 
>potentially violates the user's privacy.

Let's combine this with checkid_immediate: who needs the OP to say 
anything? Just query it again and again until you've narrowed down 
the user's last login to whatever degree of precision you wanted.

-Shade