I'm sort of surprised that there is no attempt to validate that the openid is associated with a human. It seems like that is step 1, and certainly part of good openid practice. Luis