[OpenID] A balance of power: Identity based on DIStrust

I've been thinking about privacy, and for a moment I blanked out on 
the fact that we have this feature called "Delegation" now, which 
lets us outsource the authentication to a site other than the one our 
Identity is being hosted on. This doesn't really provide any 
*security* since the ID-hosting site can still temporarily redirect 
RP's to an OP of it's choice, bypassing the security at a user's 
designated OP, and then it can even make matters *worse* by giving 
that delegated-to OP the opportunity to masquerade as the user. So, 
we have 3 parties here who can act as the user, and 2 of them could 
be any number of employees with the ability to make changes. The only 
benefits I see delegation providing are outsourcing (in case the 
ID-hosting site can't run, or isn't running, a Provider themselves) 
and privacy (the ID-hosting site can't track which RP's are checking 
the user's authenticity with an external OP).

(Now, the ID-hosting site *can* look for User-Agent strings 
associated with common OpenID libraries, and check for requests to 
every user's Identity page, looking up the IP addresses of probable 
RP's to find out what site they were coming from. To mitigate this, I 
suggest an extension to OpenID whereby the lookup of an Identity page 
to discover the OpenID headers can *itself* be outsourced - this 
wouldn't help with timing, though, so the ID-hosting site could still 
(potentially) keep track of *when* a user was authenticating to a new 
service, and how often they used their OpenID elsewhere.)

While a single rogue employee (or boss, or IT sysadmin) may be able 
to leverage the resources of their entire company, their influence 
outside that sphere should be limited. Not only is there the expected 
difficulty of feeling out potential companions in crime, but some of 
these other companies will be *competitors*. I'm not thinking of the