Are there risks of using the same OpenID provider for sites with different security levels?

Question

I always use the same OpenID provider (Google, with a strong unique pw and 2-factor auth) in every site that supports it, without thinking twice. It's my understanding that, as long as the provider is safe, it doesn't matter if one or more of these sites get compromised, the rest of them will remain safe.

However, one comment in another question put me in doubt:

One part of the issue is that you "lose" control of your users' identities, so you might be exposing your data (...). However, typically a user will use his OpenId for several sites, some of lower security, which might potentially put his identity on the higher-security site at risk. (A question of trust boundaries and attack surface). BUT, if he wants to mix identity between secure- and not-so-much sites, that could be his choice.

I've been reading about user-centric and enterprise-centric identities and some related concepts, but couldn't quite understand how this can happen. Afterall, each Relying Party only trust the OpenID Provider, not necessarily one another. Activity in one of them will not be endorsed by the other, even if it reports it as linked to the same OpenID account. Besides, sensitive info in a RP won't necessarily find its way back to the OP, much less become available to the remaining RPs.

And anyway, a site (or collection of related sites) can create its own "persona" independently of the method of authentication. StackExchange, for instance, have a single network profile that centralizes all actions from the same user across its many sites, and at the same time allows each user to authenticate to the same account through many OpenID providers (if either of the providers are compromised, then of course the user account will be at risk, but not if all providers are safe and some other relying party - linked to any of them - misbehaves).

Am I missing something? Should I use different providers for sites that I care more or less, or is ok to keep using a single one for everything?

P.S. When I first read "I Just Logged In As You" and its followup I thought it was a problem with OpenID, but after a careful reading I understood that the actual problem Jeff faced was password reuse, and other than that his provider account would still be safe. Is that correct, or is there really a possibility that a compromised Relying Party can end up interfering with the OpenID Provider?

Answer 1

The risk here is the online persona itself and what would result in social engineering attacks. Let's say that you use google as the openid authenticator and have linked it to the stack exchange sites along with a collection of other sites. Prior to this, you may have used the same username and everything else across all sites but it was all a loose association which people would not use to trust that "mgibsonbr" is actually you. Well now people can see on sites such as stack exchange, reddit and shodanhq, mgibsonbr is linked directly to your gmail account and they trust that they are actually talking to you.

Now lets say someone compromises stack exchange and can impersonate any user. Big deal right? all they can do is ask or answer questions and people will think that you didn't understand what rm -rf / would do. Well what if they started applying for jobs as you on the Careers 2.0 site? Employers are going to believe that they're actually speaking with you because the Careers 2.0 site is directly linked to your email address. Maybe they'll even get a job and be employed as you at some company. Or maybe another site you linked to your openid allowed you to apply for credit cards. Now someone has credit cards in your name.

The idea is that you would not want to link your open id with any site where posing as you could do any real damage.