First of all, let me say that I think OpenID as a technology is good, and useful, and *can* be secure. However, I just need to sound a brief note of caution – it’s nothing too major, but there is a privacy issue, and it depends on who your OpenID provider is.
The problem with OpenID from a privacy point of view is this: every single OpenID authentication request incurs a redirect to your OpenID provider, which is informed of the website you are trying to access. If it’s you running your own OpenID provider or using one from a trusted partner, that’s no problem. However, have you wondered why Yahoo, Myspace, Facebook, and all those other services are promoting OpenID and offering to be your free OpenID provider if you have an account with them? It’s not quite as altruistic as it looks. Essentially, by using your Facebook-enabled OpenID you are providing a log of every single OpenID-enabled site you visit to Facebook – in other words, you’re giving them your browsing history on a plate. This is, of course, extremely valuable to the sort of organisation that does advertising for a living, and is therefore a very good reason why you should run your own OpenID provider.
In summary, the only *safe* OpenID to use, if you value your privacy, is one run by yourself or by a trusted partner. The next best option might be an OpenID run by your employer – at least that way you know who’s following you.