ritou’s blog post prompted me to think a little about this issue.
IMHO, there are two reasons.
(1) Cannot trust the RP.
(2) Legal problem.
In the U.S., (1) would be the main problem, I suppose. Thus, white listing through OAuth consumer key or realm based etc. white listing for OpenID seems to be the way.
In other OECD jurisdictions, (2) would be an even larger problem. If it is a decent business, it cannot pass the PII to a third party without permission. Now, to prove that one has this permission is rather problematic, because when obtaining a permission, it has to state the clear purpose and scope of use, which may differ from transaction to transaction. A wholesale pre-agreement does not work here.
That’s why we need some kind of dynamic contract framework such as CX or ProtectServe, which essentially has a Relationship Manager that controls this “contracting” dynamically.