Oh, sorry seems like that once again, I wrote too much, and too little.
I agree that there isn't a widely used trust layer on top of OpenID right now, but how is that any different than normal WordPress account registration which requires only a username and email address?
Right now, wordpress registrations are usually validated with activation e-mail, matcapcha, or any other capcha. Openid users aren't validated.
I really don't want to write it in public, but with openid I will have no problems, for example, spaming for thousands of different identities (even from one web site address. I am not speaking about some openid providers, who allow almost automated openid creation. You won't be able even to block them with akismet).
After all, allowing user to register means that we trust them even a bit.
But we can't guarantee that OPENID user is even a human.
That's why Openid is really a superweak authentication method
The fact of the matter is, however, that many OpenID providers provide much stronger authentication than a standard WordPress username/password account. Go take a look at MyVidoop, MyOpenID, and Verisign PIP.
I know that technically, authentication is stronger. You won't belive, how many times I used OPENID for different hacking purposes ^_^'
Finally, all I mean that - openid user is the same an unverified guest: his openid only means that he owns some kind of url.
So, it's not good to make such guest a user.
Also, please consider that in many blogs, registered users gain more privileges, then guests - and it's not correct to give them to a openid guest.
I'll consider adding more options for enabling portions of the OpenID plugin, while leaving others disabled. In the meantime, you can certainly disable portions yourself, as you've already done.
Thank you, that's all we really want ^_^
Good luck, your openid plugin implementation is still the best.