[security] PAPE Policy for RPs to force authentication without browser cookie

[Nate Klingenstein]

Dirk,

> Good catch. That's another argument for max_auth_age in the request  
> merely being a hint, and auth_time in the response being the thing  
> that matters.

This is exactly my point, but phrased better than my long-winded  
responses.  Until we get signed requests, the request is just  
signaling, and that is hard to do precisely in this instance.  It can  
signal the oldest authentication it thinks it will accept, but that's  
flaky in a federated world with multiple servers with little state if  
you're talking about very narrow windows, and without request signing,  
it's just not a rule the OP can be asked to enforce.

Between auth_time and the nonce timestamp, I think the RP is already  
receiving all the information we can possibly give it, too.  It knows  
exactly when authentication happened, and exactly when the response  
was minted.  If we try to obscure the exact time authentication  
happened, the potential for clock skew and other issues to throw  
things off increases, because it will always receive the oldest time  
that the OP believes might be permissible.

Clarifying the text would be fine.  Adding signatures to the request  
would be fine.  Other approaches don't make much sense to me yet.

Take care,
Nate.