This is a must-read for anyone looking at the email address attached to an OpenID response.
Even more enlightening is this passage at the end of the article: “One minor issue with email addresses as identification credentials is that they are potentially reusuable. email@example.com is currrently my email address, but could potentially in the future be assigned to another person. Reuse of email addresses is not an issue that we’re concerned with as it common practice across the web to assume ownership of an email address implies ownership of the identity. Just about every web service provides account recovery via email.”
This means that even if you do trust the email for an OpenID user, you’d better not trust it permanently.
Originally shared by Abraham Williams
When using OpenID for authentication you should only trust the identity by default. If you use AX attributes you need to verify they have not been modified using a signature, and only trust attributes passed from a trusted OpenID provider.