I see that Blogger has now started offering the use of OpenID for posting comments on more than just its Beta and Alpha platform. Am not quite sure why they are doing it though as OpenID doesn't exactly have a safe security model around it. The principle behind OpenID is very simple. You create an ID at a provider site, say Wordpress, and then other sites you go to can present the OpenID layer for authentication and they contact your provider and authorize you.
Spot the problem? The site you visit is responsible for sending your details to your provider. All a site has to do is send those details to a fake provider they set-up that can proxy the authentication to the real provider whilst phishing your details in the process. It's called a man-in-the-middle attack and it is so stupidly simple it's scary. So, you proudly own your OpenID and you visit a website which allows comments via OpenID. Brilliant you think, I can post safely knowing that anyone reading the comment knows it is me. No 'sockpuppeting' here the blogging expert thinks. He happily types his OpenID in and it authenticates and he posts a comment.
Unbeknown to him though, his details have just been sniffed in the middle by the website owner. And guess what, because OpenID is a distributed authentication system that allows people to login in to multiple sites, the phisherman now has access to all those sites too. He can pretend to be you anywhere he wants, and because OpenID "stops sockpuppeting" everyone will think that it was you that posted those comments.
The simplicity of the attack is quite elegant really. After all, we're not talking about a crude attack where someone sends an email pretending to be a bank and hopes that a stupid person clicks the link and gives you their details. Instead what you have is a flaw where the user openly goes somewhere and happily puts their details in because they just trust the system.
They trust a system that relies on distributed and distinct business entities ensuring that they are not compromised, because if just one provider is compromised in the chain then suddenly details are compromised across multiple providers. Someone using Provider A entering their details with OpenID on Provider B where Provider B is compromised now exposes the details that are thought to be secure on Provider A.
Of course, using OpenID or not is entirely up to you. You won't be surprised to hear that I personally find the idea of distributed single-sign-on systems with multiple providers a universally stupid thing. Even if you put aside the very basic security problems that exist around phishing, having one login and identity for an array of websites is one big steaming single point of failure. Lose one password, lose them all. Genius!
If you're in anyway security aware then multiple identities and multiple passwords is the only sensible option and approach to have. It may of course upset those obsessed with so-called 'sockpuppets', but then in most cases they don't understand the technology anyway. They have a tendency to believe the marketing hype and thus think things like OpenID close loopholes when in fact they're just a phisherman's heaven.
Update: Here's a useful link to read.