[security] how secure is openid? advise pls..

[SitG Admin]

>So would it be of some help, if i restrict the users to sign in 
>through some trusted OPs instead of any x y z??

The question then becomes - how do you know you can trust a given OP?

>But by doing this am I not breaking one of the rules of thumb in 
>OpenID concept?? That the users can authenticate themselves through 
>any OP which if i restrict, would not be true in my website..

You can always look for assertions that the OP has implemented 
various authentication mechanisms (biometrics, for instance), and 
then - provided, of course, that you *believe* the OP has actually 
applied these challenges properly - display a message to the user 
saying "This site has been told by your OP that you passed your OP's 
biometric authentication method. If you have not been challenged for 
your fingerprint or similar data, be advised that your OP is 
exchanging in fraudulent transactions and you should find another OP."

Or, if those assertion are *not* present, inform the user that their 
OP has vouched for them but the level of security is not sufficient 
to permit full services. You might also deny them further service 
entirely, on the grounds that the nature of your site does not 
readily lend itself to the concept of partial services, or that 
programming granularity in those services would be more trouble than 
it's worth.

-Shade