I am probably going to make a lot people mad here, but all this talk of OpenID and Phishing made me think of this demotivator:
But seriously. The recent Fun OpenID Phishing Demo shows just how troutish the typical OpenID user would if the technology was ever adopted for serious use. With OpenID (as with all SSO technologies) once they have your master login credentials they have access to all your SP accounts. Too many OPs are far too easy to Phish.
Touting the added security of an additional browser plug-ins (especially one that is only available on Firefox) is simply not going to cut it. SPs have to believe that OpenID provides sufficient protection for all their customers assuming a vanilla browser or it won’t be adopted for serious use.
Some sites like Vidoop are more Phishing resistant than others (Vidoop also has a browser plug-in that is available on both Firefox and IE). Also relying on Information Cards to authenticate to the OP provides a high degree of Phishing resistances. But relying on sites to be Phishing resistant would force SPs to a White List approach.
Perhaps OpenID + White Lists + Phishing Resistant OPs would keep Mr. Trout safe and happy.
PAPE is supposed to address this. But trust is all about knowing who you are dealing with. If I don’t know you, how can I trust you will really honor your promise? Likewise how does an SP trust that a previously unheard of OP will honor the promises it makes via PAPE in regards to authentication?