Thread. However well-intentioned W is (and I do think it is a valuable concept), it still needs to withstand scrutiny, demonstrate accountability, and deliver a service that is worthy of the trust people have to place in it. There's no shortcut to GRC.
W Identity (widentity.eu) asks people to hand over passport scans, a biometric selfie and their date of birth to prove who they are. The reflected XSS vulnerability let attacker-controlled JavaScript run on your site's own origin.
For an identity provider, your response is way too relaxed.