There's been a lot of discussion about the fact that OpenID protocol has a special exposure to phishing/pharming and that the OpenID community needs to address these issues, either technically or through pressure on various parties to address phishing/pharming more broadly. There are a lot of proposals – in particular, we are all waiting to hear from Kim Cameron about OpenID and Cardspace (though applying Cardspace at the OpenID Provider seems like a straightforward solution).
If you ask me, things are happening EXACTLY how I would have wanted and expected them to. Why? Becuase OpenID is a platform for innovation in authentication. People who want to innovate in authentication methods (Mozilla/Firefox, Cardspace, VxVsolutions, etc) do NOT have to be the same people who innovate in offering services on the web (any one of a million folks running mediawiki, drupal, etc). That “delinking” of authentication innovation and service innovation is what is valuable in OpenID.
No, OpenID doesn't solve all problems, and maybe today it only solves a very narrow set of problems with an acceptable risk profile. But to me, thats not the point – its the unleashing of creativity and the power to let developers and architects focus on what they are interested in and good at. Security and identity nuts can focus on authentication and let the social networking, wiki-touting, web 2.0-heads do what they do best! OpenID is an abstraction, a key middle ground for these folks to meet and leverage each other's work – that OpenID is deployed for use in a fairly narrow set of use cases TODAY should not mean that it will not be very important in they very near future…
Very interesting thinking and way to put things.
