As I understand it, one of the reasons that PAPE originally disavowed the 'specific method' model is the concern that, for the OP to disclose this fact to RPs would present a privacy risk to the User, as the knowledge would give a malicious RP a (theoretical) advantage in hacking that User's account at the IDP.
I've never bought this argument:
- Given OpenID's (and the SAML Web SSO profile to a slightly lesser extent) well-known vulnerability to phishing, if I was a bad RP, I can think of an easier way to get the User's IDP credential.
- security through obscurity?
Separately, I don't buy at all Mike's argument that PAPE, as it is a 'policy' extension, is not the place for expressing specific authentication mechanisms. It's all policy. And it's a distinction that WS-Security Policy is happy to ignore.