The core spec is not clear how an OP must treat an OpenID authentication request with
max_age=0, and this question was raised by a developer:
Leave it up to the OP to decide whether the end-user is to be (re)authenticated (same as max_age omitted)?
Treat it as a prompt=login request?
OpenID PAPE also appears ambiguous on this. Is there an established practise when max_age=0?