[OpenID] Security/featureset at odds?

[SitG Admin]

I tried thinking of concrete examples as Nat requested, but it was 
difficult to work on the details because, once I had the loosest idea 
of what a usecase was, my thoughts were overwhelmingly along the 
lines of "Our security model sucks."

The current network model seems to be 3, at most 4, steps; usernode 
to multiuser (typically a large site offering services such as 
homepage or E-mail) node to usernode, possibly routing through 
another multiuser node that the 2nd usernode is connected to the 
internet through. Every user is communicating with 1 other user (at a 
time) or 1 multiuser, re-authenticating to each.

SSO promises to solve this, letting users authenticate in the same 
way without giving up their credentials to every other node. But 
aren't we effectively endangering this by creating a network model 
where RP nodes and OP nodes can talk to one another without a user 
necessarily being involved? When actions such as "add my new Friends 
from site1 to my Friends at site2" (and all the access privileges 
such changes entail) can be performed by a single node that is either 
compromised, or deceived into thinking an attacker is the legitimate 
user by *another* compromised node, is there any difference?

Two thoughts on this:

1) It's important to focus on the benefits that OpenID can offer 
*besides* SSO, and to develop them. It's especially important to not 
push SSO so hard that we distance OpenID from those who *want* to 
have multiple passwords required, per service, for additional 
security.

2) We should put together a list of differences, however minor, that 
OpenID might make in how the current flow of information on the web 
goes. Then we can properly analyze the potential implications they 
have for security instead of trying to guess ahead (and losing face 
over the disaster when we fail to guess ahead).

All of this may be elaborated upon, in a more coherent manner, when I 
have had Food ;)

-Shade