[security] OpenID Security Best Practices Doc

[Allen Tom]

SitG Admin wrote:
> You have to assume that the session *will* be compromised, then, and 
> prepare accordingly.
Arguably, the user's session at their OP would be more resistant to 
being stolen than the RP's session, so perhaps the RP should frequently 
call checkid_immedidate to verify that the user is still signed into 
their OP. This would require the attacker to steal the OP's session.

I believe that Facebook Connect takes the very extreme approach with 
requring Connect RPs to do the equivalent of checkid_immediate on every 
page view. This also has the nice benefit of enforcing single sign out 
across all RPs when the user signs out of Facebook. Not sure if this is 
the solution that OpenID should go with, however, it's certainly 
interesting.

Allen