[OpenID] http and https...again

[Joe Tele]

I realize and buy the arguments that http and https claimed ids should represent separate identities.  I am having some difficulty with various OPs in the wild and their differences.

We want our RP to only accept secure identifiers:  User supplied identifiers, claimed identifiers, and OP endpoints. 

Is there a recommended practice for when an OP can serve up a secure claimed identifer vs an insecure (https vs http)?  I am encountering varying behavior.  We would like to vet and white list acceptable OPs.

Take myvidoop for example.  If the user supplied identifier is https://whatever.myvidoop.com then we resolve an https claimed id.  However, if the user enters the OP identifer https://myvidoop.com (secure), myvidoop returns an insecure (http) identifier.  The protocol started out secure and subsequently downgraded.  This seems unacceptable to me and confusing to the consumer.

There seems to be wide latitude in how to represent the OP identifier when asking the OP to choose an identifier for the user.  Yahoo will accept simply yahoo.com, the same with myvidoop.com.  But another OP we have tried myopenid.com does not have a valid certicate for that address, requiring the user to type in www.myopenid.com.  I can only see user frustration arising out of this.  I suppose users will learn what their provider's needs but certificate failures could chase away potential users from our site.

I have been looking the provider list at http://openid.net/get/, is this a good list for "top-tier" providers?