That’s a great idea. It’s certainly something that OPs and RPs should take into consideration.
There is currently some conversations going on about an OpenID Security Best Practices document; while the spec shouldn’t mandate SSL, it certainly should present the case for supporting it, ideally in a best practices doc.
An error occurred while saving the commentAP² commented
@Roelof: I got a free SSL certificate with my $8 domain. It doesn't provide EV, but forging that it's a much more sophisticated (and time consuming) attack than simply sniffing data as it flies before the attacker.