Another case is where the RP specified max_auth_age=999999999999. The PAPE spec requires the OP to respond back with the the time the user last authenticated, if the max_auth_age is greater than the duration of the user's current session with the OP. This effectively gives the RP a way to find out when the user last signed in, which potentially violates the user's privacy.
Let's combine this with checkid_immediate: who needs the OP to say anything? Just query it again and again until you've narrowed down the user's last login to whatever degree of precision you wanted.
-Shade _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
