I've been wondering. Since anybody can start an OpenID provider, and since there is no central authority that approves OpenID providers, why won't fake OpenID providers become a problem?
For example, a spammer could start an OpenID provider with a backdoor to let himself authenticate as any other user that was tricked into registering on his site. Is this possible? Is the provider's reputation the only thing that prevents this? Are we going to see OpenID provider blacklists and OpenID provider review sites in the future?
Probably I don't understand something about OpenID completely. Please enlighten me :)
It'd be pretty much the same as having "fake" email provider, that would hijack users confirmation emails etc. Only the reputation is preventing that. Poeple do register on gmail.com or hotmail.com, but do not register on joesixpack.org.
OpenID is NOT an intrinsically safe protocol - it doesn't have the power to force a rogue provider to provide security, nor does it 'vet' each provider to ensure they are secure.
OpenID is a mechanism whereby you can store your credentials with a trusted provider, and they will then verify you to others.
If you choose an untrustworthy provider, they can see and use everything you might use your credentials for.
OpenID is not a replacement for trust.
-Adam
Jeff has a very nice (and lengthy) weblog post on this topic. If it doesn't answer your questions, it will certainly enlighten you. The comments also lead to very illustrative articles. Highly recommended.
There are some similar questions on stackoverflow.com that you might find interesting.
The only way I can see a "rogue" OpenID server being a problem isn't a web application security problem so much. What you are doing though is providing one website with your Identity. They tell people you are who you are, but they also have access to it. If a malicious person sets up an OpenID server and people start to use it, the owner of the malicious service could impersonate anybody using their server.
The question comes down to do you trust the owners of your OpenID server?
My problem with OpenID in general is that it's new and there aren't any standards (that I've heard about anywhere anyway) that define what makes a "good" OpenID provider. For credit card data, there's PCI-DSS standards for managing credit card info -- but no equivalent for identity.
Granted, it's a new technology that is generally used for applications with minimal "trust" requirements. But on sites like ServerFault, I think that you need a level of trust that's greater than that of a blog, but less than that of bank or online broker.
Adding to previous answers. Don't know yet about OpenID blacklists, but there is a volunteer initiative on OpenID whitelists. That whitelist is a distributed technology (just like e-mail, DNS, HTTPS certs), there is no single point of failure, there is no single point of trust. You may trust some guys' whitelist and he can fake it.
There is an opinion that those whitelists must be extended to provide more information (not to anybody, of course), like user activity, number of posts, number of warnings from moderators, etc. Since OpenID is a global identity, that would help to almost-instantly spread information like this user is a spammer. Which would force spammers to always use a new id. Imagine that 1000 reputation on ServerFault makes you as well trusted user on thousands of other websites.
To those who think OpenId consumers should let any OpenId provider be an authenticator, that's just crazy talk. Let's say you have a list of authorized users based on an email passed from openid providers. Some rogue person sets up their own OpenId provider service and knows the email of one of your previously authorized users. That rogue person could then 'authenticate' himself as your accepted user.
If you are trying to secure with openId, you must have a white list of providers you trust, otherwise you're pretty much wide open to anybody who knows how to setup a provider service.