OpenID is essentially a decentralized single-sign-on system. I can sign in to any site that supports OpenID using my new OpenID from this blog. My new OpenID is http://raykrueger.blogspot.com/. That's right, it's just the URL for this blog.
This is why I think OpenID is cool. My 'REAL' OpenID is raykrueger.pip.verisignlabs.com, I set it up at verisignlabs because they are the only provider that uses TLS by default. In Tim's post he points out that a lack of TLS/SSL in this scenario is sketchy at best, and I agree. Encryption is a must.
Ok, so Versign provides the OpenID authentication, but when I log into sites that support OpenId, I tell them my OpenId is http://raykrueger.blogspot.com/. When they come here to my blog they'll find a simple bit of html in the page that tells them where to go for the real authentication provider. Have a look; right click this page and 'view source', you'll see two tags in the head section of the page that look like this:
<link href='https://pip.verisignlabs.com/server' rel='openid.server'/>This tells the site that I'm logging into that http://raykrueger.blogspot.com/ is not the real provider, and that they should go to versignlabs as the server, and use by delegate openid, raykrueger.pip.verisignlabs.com.
<link href='http://raykrueger.pip.verisignlabs.com/' rel='openid.delegate'/>
Why go through all this trickery? Why not just use versignlabs as my openId directly? Well, if versignlabs (which is beta) gets dropped, or (god forbid) becomes a paid service, I'm not screwed. I can change providers at any time, just by changing the html tags here at blogspot. If you're interested in setting up this up for yourself, have a look at Simon Willison's instructions.