I just picture a scenario where Grandpa want's to be cool and use openID because he's heard it's sooo hip and secure and an anonymous openID must be even more secure so he types in http://www.jkg.in/ openid/asdf1234 as his openID or even copies and pastes "http:// www.jkg.in/openid/anything" since its an example that is given. Now every hacker in town can just write a bot that logs in with "http:// www.jkg.in/openid/anything" all over the net accessing poor souls accounts who thought it was cool to be anonymous.
Of course it is up to the user to choose a legitimate openID provider that they trust, but I'm not sure what percentage of users is capable of discerning a good provider from a bad one.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
