Since the site did not accept the comment…
This is a reply to: http://eternallyoptimistic.com/2010/04/20/xauth-first-take/
XAuth seems to be nothing but a shared cookie, so it may not be a single point of failure. The RPs do not seem to communicate with the xauth.org so it should not be a critical problem even if the server was failing. At the very worst, the RP has to show all the NASCAR icons. That is all.
At the same time, it would have an interesting (not fun) security implications on a shared computer, but I have not done the analysis yet.
And right, I feel that it is taking user out of the cycle as well. It would have been much better if it just points to the location of the user’s XRD/s that lists all the services that a user can edit, but that may be way too esoteric. I agree that it is not user centric. It is service centric in philosophy, but that may be what the user is asking as a priority: “ease of use”.