This is a really confusing aspect of openID. It still perplexes me that when I log into a new site with my openID that I have to verify email, choose username etc.
Whats all the fuss about if all it does is handle the password entry aspect?
I know that many 'normal' users find it very confusing to be redirected to a different web site to enter their password and then redirected back.
It all depends on the implementation on the relying site.
Indeed you must still pick a username (or perhaps you don't -- again, depends on the implementation), but it all comes down to simplifying the identification process. If the identity provider recognizes you, the relying site trusts that the information you provided there still holds true.
Single sign-on is the main hook right now and it's an attractive one, especially for users who are hesitant to try new services due to a lengthy sign-up form. Because it's open-spec, there are some interesting new applications for OpenID that are coming into light.
There was a good point that Simon Willison raised recently. If your building a web app and that app gets dugg, the digg users will be able to log straight into your site with no sign up process if you support openID. Aything that lowers the barriers to someone using your app has got to be a good thing.
In theory couldn't one ban any OpenID below a certain pagerank? For example, my OpenID is embedded on my homepage, which has a pagerank of 6. So then could I create a Reddit clone and ban anyone with an OpenID coming from a site with a pagerank of below 4? You would probably have to accept only OpenID's from the header of index.html, and check to make sure there was only one OpenID per page. That way if you got banned for trolling then you'd have to make a new homepage and get it up to a certain pagerank before you could make a new account at the site.
PageRank works almost exactly the same way as a PKI. The only difference is that instead of people signing your key to vouch that it belongs to you, they are linking to your webpage to vouch that it has quality content. PageRank can be faked, certainly, but it is difficult enough to at least significantly slow someone down. To make it more trustworthy you'd probably have to modify it to create certain webpages that were absolutely trusted, and then do some sort Kevin Bacon rank where end users were scored based on the degrees of separation. That way there is some designated starting point, rather than the whole system being based off popularity.
Whats all the fuss about if all it does is handle the password entry aspect?
I know that many 'normal' users find it very confusing to be redirected to a different web site to enter their password and then redirected back.