Want to insist on a recent login

[Dave Hinton]

I see no way in the current spec for the Consumer to insist that the 
End User must relogin to the Server if he has not logged in within, 
say, the last five minutes.

This would be useful for sites where certain actions are more sensitive 
than others, e.g. e-commerce.

If the End User has left themself logged in while they go to the loo 
and someone else posts to their blog while they are away from the 
keyboard, that is the End User’s silly fault for leaving themself 
logged in.  But if someone should attempt to spend money on the End 
User’s credit card, or erase the End User’s entire blog, or something 
else similarly drastic, then the Consumer web site has a responsibility 
to try to prevent that.

(Compare also with the behaviour of sudo on *nix systems.)

This might seem to defeat the point of single sign on.  But no:  The 
End User would still only have to maintain a single password at a 
single web site.  Currently the End User must either (a) use the same 
password at all web sites (insecure) or (b) never be able to remember 
their password at web sites they visit infrequently, thus having to ask 
the web site to e-mail their password to them (annoying, and wastes 
time).

So I think this would be a useful feature for OpenID to have.  It would 
only require adding an openid.required_freshness field to the 
checkid_setup and checkid_immediate requests.

Any thoughts?