Really interesting that CRL checks aren't baked into a lot of open source OpenID providers:
Sun has already updated their web site with this disclaimer:
OpenID is an untrusted protocol. Sun has no liability for what happens to any information you give to a third-party web site using this service. Most OpenID-enabled sites are genuine but some may be phishers or other rogues. Sun currently has no way of distinguishing the good sites from the bad. Do not use the OpenID@Work service for any high-value, critical, or Sun proprietary information.
Be aware of DNS poisoning, which has been in the news a lot in 2008. We recommend that you test your connection, for example using the tests at DoxPara Research, to be sure that the site you think you are connecting to, and trusting with your identity, is in fact the right site. You could also consider using Sun's VPN for all browsing as the Sun systems are not affected by the DNS poisoning problem.
Wow . . . just . . . wow.