Neo percocet. Potent lortab percocet darvon. Difference between percocet and ultracet. Percocet. Percocet effects….

I believe you mean OAuth.

That’s a statement about the impact of either happening, it doesn’t address the difference in likelihood of either happening.

Isn’t it easier to hack a website to get control of an OpenID URL than it is to hack into an email account?

Or would you really need to hack into the OpenID account (which is distinct from the OpenID URL. i.e. you could control a URL that original defered to a MyOpenID account without knowing anything about the account).

For spammers, hacking OpenID’s URLs and searching for where they’ve been used to post comments on blogs – and so therefore might be whitelisted – could be an easy way to get round stricter comment spam filters.

They might work it the other way of course. find OpenIDs used to post comments, then check if the URL is secure. That could mean that the more you use your OpenID the more you are exposing yourself to spammers trying to hack your OpenID URL.

I wouldn’t be surprised if within the next year there someone within the OpenID community who defers their OpenID from a website they manage themselves gets their site hacked and their OpenID used to post comment spam.

As for AOL and Relying Party support. We do support 3rd party OpenID’s on dev.aol.com and a couple other sites: ficlets.com (which one best use of CSS) and circavie.com. We are working to make the relying party support more robust and to cover more services. I don’t want to give the impression that AOL is not active in supporting OpenID as a relying party.

On the security front, OpenID 2.0 does require SSL in a few cases so the 2.0 spec is much better from the security perspective.

However, the issue is how much security is needed for the resources being provided. SSL might be overkill. The only minor problem with this logic is that many people use the same password so any insecure channel could compromise their identity.