Comment 6 for bug 963098

Nag - not a bad idea, but one that we need to be a touch cautious around. In some implementations of Keystone, the keystone system itself *will not* have access to lock a password or otherwise manipulate the ID system. Keystone is going to be acting as a facade in many deployments, not the end system in itself - and some backends will not support any manipulation of user credentials externally.

Additionally, Rajesh's comment is fairly reasonable about the user experience - a flow like that is totally valid, but if we implemented it we need to make sure that the user could receive some useful notification that their credentials have been locked for security reasons and provide a means for them to get them unlocked. Otherwise we've enabled another security flaw in a denial of service to the system users.