A real world example is that a user can claim to have been offline during a certain time, however the user silently signed into their OP to check mail, without signing out. A couple days later, the user then uses their OpenID, and the fact that the user signed in at a certain time (when the user claimed to be offline) will be disclosed to the RP.
To complicate this scenario, the user might share their OP with someone else at home. Even if the OP were capable of modeling their relationship, the user might not care to make it known to the OP - or anyone else, really. If the user is satisfied that others who have access to the OP/password respect privacy appropriately, using only the services they need, the user's claim to have been offline during that time would be true, regardless of what the OP's records remembered.
-Shade _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
