*sigh* Now in addition to a real-world wallet full of plastic cards to sort through, I'll have a virtual wallet bulging with duplicative certificates for dozens, if not hundreds, of organizations I do business with.

Or I could have a couple of general-purpose certificates (maybe I want a separate one for high-value transactions, or separate business and home certificates) marked as usable for personal identification. The cert. doesn't *contain* the information; it identifies me to the repository of the information. An entity presents my opaque identifier together with *its* identifier to the repository along with a request for certain information. The repository consults the access-control list on my entry and replies with either the information or "not authorized". How hard could it be?

But however it works, this time the persons being identified need to get themselves included in the design process, so that the design has the features and guarantees that they require, and not just what the businesses require to cover themselves in the event of failure.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11377/33133#33133