Well, I'm always thinking about it but Simon Willison is thinking about it more right now. His two most recent posts look at solving the OpenID phishing problem and creating a whitelist via OpenID.
Of the two, the phishing issue seems to be one that needs to be addressed fairly soon. The problem with having something URL-based is that with the redirect from one site to another, the man-in-the-middle attack is somewhat easy to create. If I create a site which lets people use their OpenID logins, I can easily create a secondary site which mimics the OpenID provider's site and thus gives me the user's login information. While this might be too much work right now, once more people start using OpenID, I believe you will see more of this.
Scott Kveton, CEO of JanRain, gives some additional perspective on the issue. I totally agree with Scott that it's very encouraging that so many people are looking into the issue now and hopefully can help direct solutions in an easier manner.
Technorati Tags:
openid, openid+phishing