I am sincerely interested in hearing the arguments for why OpenID counts as "properly designed". I implemented it for my day job. The experience both as a relying party and as an end user is <i>miserable</i>, and (though not relevant to our implementation) I question the security wisdom of teaching users that any random site on the Internet is going to ask for their Yahoo/Gmail password and that giving it to them is OK.