Sxip, OpenID, CardSpace(formerly InfoCard) and i-names are user centric models of identity.
I find the whole idea about this extremely interesting, but there are some things to consider.
Privacy… am I going to give this site my real info?
Authority… how are sites to know that I am providing my real info, or do they care?
These user centric models of data mean that the user can create their own persona to carry around from site to site, in some cases I may want absolute anonymity, say if I am Chinese and trying to blog, in other cases I may want 100% certainty that I am who I say I am. These user centric models mean that I can claim anything I like, and that is fine for anonymous access, so I am more concerned with providing reasonable certainty that I am who I say I am.
Let’s face it, with spammers and phishers and every other kind of creep out there, its really hard to state that a person visiting your site is who they claim to be. So how can I state that I am who I say I am in a trustworthy way. You could think of this as something like trying to validate that an email came from the person listed in the “from”.
On the internet just about everything is easy to fake, only encryption can really help. So we come to Public/Private key encryption. As I have stated before PGP is only good for anonymous and psuedo-anonymous encryption, but actually any keypair that isn’t backed up by a statement from a trusted source is going to have the same problems. This is because without a trusted source, there is no validation that you are getting the key you think and not a well crafted fake. The only people capable of making trustworthy identity assertions are governments (ok, this is a bit of an exaggeration but its the closest to the truth as I am going to bother with), the only other group that is trying to make identity assertions are Certificate Authorities, like StartCom and Verisign. However, not all CAs have the same rules about validating the identity of its users.
The assertion of an identity is a tricky business, and I have set forth the plan earlier on how to make it reliable, but the ruling has been that relying on volunteers means that their is no reliability. Still, the ability for a user to associate a persona with a particular certificate, or group of certificate would be like having a choice of ID cards, some very reliable, like a drivers license, some not, like a library card. I see a great deal of value in making a CA a homesite, as making a CA a membersite.
As a homesite, users could have a choice place to share their data from, that is authoritative. As a membersite, a CA could speed up user registration.
Either way there seems to a lot of reasons to make the association between a user-centric account, and a CA account or certificate.
StartCom Web of Trust 
The idea is very interesting indeed, but without any validation form, the quality of data might be problematic. In real life, a person has usually only one identity – the same identity which should be used to access protected web sites – but without compromising the very same personal information. Most likely, that the CA role is the missing link here.
Hopefully this identity protocols and their software get to a stable level soon and with adding additional security (storage of date etc), a verification model seems to be invitable.
Comment by Eddy Nigg — October 10, 2006 @ 7:23 pm
If the user only has to enter their data once, they are more likely to make it correct. With the granular control the users have over which data is released they can feel more at ease about filling in the data correctly. Furthermore if you have a CA, who is acting as the users homesite, validate the users data, you now have trustworthy data.
The issue I see is that the code I have looked at transports the users data from site to site unencrypted, and without validation that the site is who THEY say they are. SSL and DNSSEC together could solve this problem, but I am not sure that it is even seen as a problem yet.
Comment by startssl — October 11, 2006 @ 8:48 am
I agree! I think, it would be a good idea to contact the various leaders, specially Sxip, OpenID and let them do some thinking…Securing of A) network and transport related options, B) storage and audit? thereof. In addition to that, there might be an idea of protocol extension, which would define the source or trustworthiness of the date, e.g Not validated, reasonable validated and highly validated….Or something along this lines…
Comment by Eddy Nigg — October 14, 2006 @ 6:39 pm
Meant: trustworthiness of the data, not date…
Comment by Eddy Nigg — October 14, 2006 @ 6:40 pm