[security] PAPE Policy for RPs to force authentication without browser cookie

[James A. Donald]

SitG Admin wrote:
> Let's combine this with checkid_immediate: who needs the OP to say 
> anything? Just query it again and again until you've narrowed down the 
> user's last login to whatever degree of precision you wanted.

Limit the number of max auth ages that can be specified by any one RP 
within a reasonable period.