[OpenID] Mis-using generation identifiers to request SSL treatment

[SitG Admin]

Andrew has accurately identified the scenario I spoke of where the RP 
ends up contacting a hostile server. I guess it's also a question of 
user-friendliness: do they find themselves more comfortable with 
entering "http://" at the *beginning* of a URI than some characters 
(mostly letters) at the *end* of their URI?

Adding another idea: how about a "preferred_OP"? Let's say that my 
usual OP is down, and I *know* this, so I want to specify that the RP 
should use OP#2 - defined in my headers or the XRDS file whose 
location is specified in my headers, so an impersonator can't just 
declare an OP not listed for my URI at all - to authenticate me. Just 
by typing a few additional letters after the URI, suddenly I (the 
user, supposedly the most important player in this user-centric 
topology) have exerted additional control over the OpenID flow, in a 
way that might otherwise be limited to the RP and/or complicated user 
UI.

-Shade