This is the paragraph on OpenID security from Wikipedia. Are there any new updates about this, or any comments?
Security and phishing
Some observers have suggested that OpenID has security weaknesses and may prove vulnerable to phishing attacks.[26][27][28] For example, a malicious relying party may forward the end-user to a bogus identity provider authentication page asking that end-user to input their credentials. On completion of this, the malicious party (who in this case also control the bogus authentication page) could then have access to the end-user's account with the identity provider, and as such then use that end-user’s OpenID to log into other services.
In an attempt to combat possible phishing attacks some OpenID providers mandate that the end-user needs to be authenticated with them prior to an attempt to authenticate with the relying party.[29] This relies on the end-user knowing the policy of the identity provider. In December 2008, the OpenID Foundation approved version 1.0 of the Provider Authentication Policy Extension (PAPE), which "enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for OpenID Providers to inform the Relying Parties which policies were actually used."[30] Regardless, this issue remains a significant additional vector for man-in-the-middle phishing attacks.
Other security issues identified with OpenID involve lack of privacy and failure to address the trust problem.[31]
