RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help thwart the more obvious DNS and MITM/phishing attacks. BTW, whoever maintains http://openid.net/get/ should probably change the Yahoo information to "https://me.yahoo.com/" since that works and, unlike http://openid.yahoo.com/, uses SSL/TLS. Thanks, Peter