>If OIDF wants to certify something, it should certify compliance to the >OpenID standard. +1; different parties employing OpenID might have/practice/need different security standards, too (let the first people to want OWASP, submit the libraries they're thinking of using to OWASP). -Shade