This document summarizes known security issues with the OpenID protocol specification and implementation, including issues related to the browser being a man-in-the-middle for messages, session swapping vulnerabilities, HTML discovery and phishing risks, and end-entity man-in-the-middle attacks between relying parties and identity providers. It provides examples of how protocol specifications and security profiles have helped to address some of these issues but notes that further work is still needed to fully mitigate risks.