I know I am missing something in reading the Provider Authentication Policy Extension spec:
http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html
It reads to me that you ask the Open ID Provider (OP) to perform some extra level of authentication. The OP then responds back to you telling you if it performed that authentication or not. How does this prevent, for instance, phishing at all? Can't the OP simply lie about what authentication it did or did not do?