Over the past few days at the Internet Identity Workshop 2006B, a common theme that has been discussed is trust and especially the lack thereof between a Relying Party (RP) and the OpenID Provider (OP).
Dick Hardt's position is that the trust is between the RP and the user and the user and the OP -- not between the RP and the OP. It is up to the user to pick a trustworthy OP.
The problem with this position is that it is fine for valueless transactions (like identifying a user entering a comment on a blog) but very wrong for an RP that has resources that it needs to protect. Such resources include things like bank accounts, merchandise (ecommerce), or even just data that needs privacy protections such as my contact info, or my address book, etc.
The reason why trust must exist between the RP and the OP in such cases is that the RP MUST protect the resource from a malicious user who is trying to get to some other user's data. So the RP has to do things with the OP to ensure that the OP isn't confirming an identity for another user (and therefore the RP has some level of trust that the OP is confirming identities for users in its own world).
So it's not that the RP MUST trust the OP in the case where everything is as it should be (the case where it is the right user using the right OP to get to their own data at the RP), but that the RP MUST TRUST that the OP is not enabling the malicious user.
In order to enable such trust, OpenID will end up having to replicate much of the protocol protections that currently exist within Liberty ID-FF and SAML. My opinion is, of course, that rather than replicating things yet again, profile them.