We now theoretically will have three different assurance levels going, based on three different ssl certificate levels (no certs, regular certs, and HA certs).For there to be 3 Cardspace assurance levels would imply that the LoA is the same for self-asserted and managed cards. Is this the case? If authentication (and not the transfer of other attributes) is the desired function, can an Infocard RP have the same level of assurance (i.e. confidence that the individual presenting the card is the valid one) in the two different models?
Typically the LoA an RP can ascribe to a credential is determined by a number of factors, some technical and some not (i.e. business & legal). A self-asserted card would appear to deprecate all the non-technical factors, as there need be no partner IdP with which contracts would be signed (presumably Microsoft has appropriately covered its legal butt with a disclaimer somewhere in the shrink-wrap trail so they aren't in the liability mix)
If nothing else, a managed card would seem to have more moving parts that could impact assurance.