Much discussion has happened recently about various attack vectors against OpenID, most brought up in the spirit of "I want to help fix it", which is great. In this post, I will try to summarize the how to achieve a "security gradient" for OpenID that allows implementors to choose the tradeoff that suits their application best; because it clearly is a tradeoff between security and cost (in its various forms, such as additional hassle or education for end users). This is becoming particularly important as businesses are exploring how to leverage the rapidly growing OpenID community and deployments for business purposes.