I suggest verifying email addresses and OpenID identifiers independently. An OpenID provider is really only authoritative for the OpenID identifier; any other data you receive from it is really only a convenience to save the user from having to re-type it.
I'd argue against relying on a clearinghouse for OpenID providers. You trust the developer to manage their SSH key and their GPG keys, why not trust that they have sane management practices for their OpenID as well?
I suggest verifying email addresses and OpenID identifiers independently. An OpenID provider is really only authoritative for the OpenID identifier; any other data you receive from it is really only a convenience to save the user from having to re-type it.
I'd argue against relying on a clearinghouse for OpenID providers. You trust the developer to manage their SSH key and their GPG keys, why not trust that they have sane management practices for their OpenID as well?