[security] Who bears the risk..

[Dan Lyke]

On Fri, 27 Oct 2006 10:01:51 -0700, Alaric Dailey wrote:
> I seem to remember saying that this would happen if authentication  
> was outside the the scope of the spec.

For those of us implementing Relying Parties, this is completely  
expected and perhaps even welcomed.

As long as users control their URLs (which is the whole point of this  
approach), trust is not a part of OpenID. Trust is gained separately.

Dan