[OpenID] XRDS multi-OP listing?

[SitG Admin]

>There is little to no ROI from an RP perspective.  If anything, I 
>want to go the other way and only allow certain trusted OP's, not 
>open the door for the user to not only use multiple OP's, but pick a 
>different one at random each time.  The risk is slighlty higher.

I'm not clear on how you're using "random" here. Is the XRDS so 
constrained in its current format that any string which matches a URL 
pattern will be treated as an OP? Could the user not, for instance, 
add a list of OP's identified in such a way as to only be recognized 
as valid OP's if the RP had written a library to specifically seek 
them out? Will the RP be forced to select one of those OP's *at 
random* if more than one is present?

Other than that it's simply a trust issue. Just because we don't know 
WHY a user went with this OP over that one on a given occasion, 
doesn't mean it's random! Indeed, one might argue that it's none of 
our business why the user picked one over another. All we need to do 
is ask for (PAPE) verification that the OP our user selected can meet 
our demands for authentication. If it can't, we explain this to the 
user and ask them to pick another one.

Trust of the OP's is not just our decision as Relying Parties, but 
the user's as well.

-Shade