[OpenID] Here, let me take that URL for you

[SitG Admin]

What happens if I notice someone enabling OpenID (with delegation) in 
their page's headers, but get to account creation before they do? I'm 
admittedly confused by the myopenid.com signup process (just looking 
at its first page, here), but if someone else beats me to 
registration, will myopenid.com let me create a *second* account 
which works just as well as the first? Perhaps prove my control of 
the domain through OP-supplied nonces that show up in my OpenID 
headers later, to keep Eve from simply creating another account? Is 
the myopenid.com Username configurable (it doesn't say), or am I 
forever stuck with what Eve put there? (I'm beginning to think that 
it would be simpler if we just never let me alter my page headers 
until I had signed up with a provider. But then we have to create the 
infrastructure to let OP's control what HTML code I can put on my own 
webpages, so that doesn't seem practical either. The current 
arrangement seems to be "say nothing, lest actively discouraging it 
give users the wrong idea".)

I'm looking at ClaimID's login/signup page, too. This is where I 
first began thinking of including the headers before a site was 
ready: for a movement that professes to care about "no registration", 
it sure seems kind of odd (to me) that the first thing we ask for 
(from users) is registration. (Sigh.) This is a bit of an impediment 
to my flow, from the tech end; if I'm going to sign up for an OpenID 
provider, why can't I do so with *my* OpenID? (Because, um, I don't 
*have* one yet? I do, but let's pretend that I don't.) I had somehow 
imagined it to be more streamlined: I add headers, and the provider 
confirms this. They see me coming (with redirect headers), they give 
me a deferral landing page that explains *why* they can't simply 
authenticate me straightaway, and *this* is where they tell me why 
they need various bits of information, and what they won't be able to 
do if I can't provide them with it. Of course, the real-internet 
*need* for this signup flow is negligible, I think - how many users 
*start* with adding headers to their page, instead of learning about 
OpenID through one of the many other channels?

Also, there's the security risk of committing to your provider before 
you've established credentials with them, which may tip off an alert 
adversary (or anyone crawling your blog often enough to notice the 
*moment* you update it) that it's time to go sign up for an account 
before you do. Automation might make this a more feasible attack, but 
I still don't see it as a serious concern. I'm more bothered by the 
idea that someone might DoS a particular user by continually 
registering for the most popular providers, in their name, and thus 
always "obstructing the doorway" with their own (unguessable) 
password.

-Shade