I apologize for continually throwing rocks at other people’s glass houses
I see no glass (which, I admit, is sort of a defining characteristic of the 'glass house' phenomenon) and I think Pam's aim is off - she just splattered the big plate glass window of the Jones's next door.
She challenges my claim/assertion that a self-asserted card can create only technical confidence, and not legal or business confidence.
I see absolutely no reason why I would hesitate to associate a self-issued information card ... If I read Paul’s taxonomy correctly, there would be technical confidence but no legal confidence, even though I as an end user do indeed have a contract with my bank.
But my arguments were expressed in terms of the level of assurance that the RP can ascribe to the authentication - not whatever the user can. It's not the user that may think differently about the comparative assurance made possible by a 3rd party IdP, it's the RP (99.8% of users will be completely oblivious to the fact that they are even different).
And while yes, there may well be a contract between the self-asserted-card-presenting user and the RP, am I naive in thinking that an RP protecting sensitive and/or valuable resources, one worrying about potential damages should a spurious authentication occur, one for which authentication & associated management is not a core capability, might rather rely on a contract with a business entity that had a bank account balance not determined by the ebb & flow of monthly mortgage & car payments?
Would it help if I drew my business confidence diagram such that there was a non-zero amount of assurance for self-asserted cards? But that I maintained the potential advantage that a card managed by a 3rd party IdP can provide?
With respect to Pam's other stone,
Let’s go past an authentication-only scheme and say that my bank will trust everything I assert from my self-issued card. That boils down to contact information — the same stuff that many websites let me change already.
I have never attempted to extend the argument beyond authentication to attributes. As Pam points out, attributes introduce a whole different set of issues around sourcing & verification.
Pam closes off with
there is certainly no reason to malign either card mechanism until proof exists that either one is more vulnerable than the other
I guess this is for Gerry because I was in no way trying to malign self-asserted cards, merely pointing out that introducing a 3rd party into the mix (through a managed card) makes possible (but does not guarantee) a higher level of assurance for the RP (through business constructs like a "good ol' fashioned I'll sue the a$% off you if you break it" contract). Heck, I like self-asserted cards, some of my best friends are self-asserted.
Pam, I hope you have insurance - the Jones' are very litigious. :-)
And of course, the privacy characteristics of self-asserted vs managed cards is a completely different issue. But that doesn't stop Ben from trotting it out. I must get 'Liberty Dude' added to my business cards (the self-asserted ones).