Today the OpenID distributed identity authentication system developed by Brad Fitzpatrick of LiveJournal fame came out of development and into finalized territory. I am totally down with the concept of devising a distributed identity system that I can personally control, as opposed to something centralized as owned by Microsoft (Passport) or Six Apart (TypeKey), e.g. I also dig that an OpedID identity is simply a URL. What I need your help with is understanding the details of this and whether or not the implementation is solid in this OpenID system. Questions follow the jump for those of you developer-minded souls…

The description says “Anybody can run their own site using OpenID, and anybody can be an OpenID server, and they all work with each other without having to register with or pay anybody to “get started”. An owner of a URL can pick which OpenID server to use.” How does this actually play out — the example uses LiveJournal as the OpenID homesite. So, if I have a LiveJournal account, I can use that as my homesite from which all authentications flow. But then what happens if LJ goes bellyup — does my identity then vanish? What if I tie my identity to a domain I own that later expires — am I not then S.O.L., or rather, I’m just tethered to renewing that domain if I want to preserve that particular identity. Or does it not work like that at all — my identity URL isn’t tied to any particular OpenID homesite server per se, perhaps, so if LJ goes bellyup I can still use the same URL to identify myself so long as I pair it with another OpenID server?

One more question — how secure is this system? Wouldn’t it give a potential identity thief a lot of incentive to figure out whatever my homesite’s login password is, so they could happily masquerade as me across any and all other sites that I visit (that implement OpenID, of course)?

Thanks in advance for any feedback!