Is there a danger in fake OpenID providers?
I've been wondering. Since anybody can start an OpenID provider, and since there is no central authority that approves OpenID providers, why won't fake OpenID providers become a problem?
For example, a spammer could start an OpenID provider with a backdoor to let himself authenticate as any other user that was tricked into registering on his site. Is this possible? Is the provider's reputation the only thing that prevents this? Are we going to see OpenID provider blacklists and OpenID provider review sites in the future?
Probably I don't understand something about OpenID completely. Please enlighten me :)
Solution 1:
OpenID is NOT an intrinsically safe protocol - it doesn't have the power to force a rogue provider to provide security, nor does it 'vet' each provider to ensure they are secure.
OpenID is a mechanism whereby you can store your credentials with a trusted provider, and they will then verify you to others.
If you choose an untrustworthy provider, they can see and use everything you might use your credentials for.
OpenID is not a replacement for trust.
-Adam
Solution 2:
It'd be pretty much the same as having "fake" email provider, that would hijack users confirmation emails etc. Only the reputation is preventing that. Poeple do register on gmail.com or hotmail.com, but do not register on joesixpack.org.
Solution 3:
Jeff has a very nice (and lengthy) weblog post on this topic. If it doesn't answer your questions, it will certainly enlighten you. The comments also lead to very illustrative articles. Highly recommended.
Solution 4:
There are some similar questions on stackoverflow.com that you might find interesting.