Warning opinion follows :)
A while back I blogged on the difference between self issued and managed information cards; which lead to an interesting comment from Aditya;
I was wondering if you could further explain why a self-issued information card is not suitable for higher-risk transactions such as logging into a bank account. From what I gather, the advantage of a managed card would be that it could assert certain claims about a person (like the hair length example you mentioned). However, I'm not sure why managed cards are more secure just for logging in.
It's not that managed cards are more "secure" than self issued cards, the protocols used under the hood are the same. What a managed card gives over a self issued card is the ability for revocation and the ability to add further authentication requirements.
I'm sure most of us, at some point, as a child were a member of a club that you setup with friends. You may well have issued membership cards, much like Calvin and Hobbes had for Get Rid of Slimy girlS. This is equivalent to a self issued card. OpenID doesn't improve this very much - an OpenID provider may check the email you registered with belongs to you, but there is no way for a relying party to know if this process has taken place. With managed cards issued by a third party we have the same problem, the identity provider is claiming information about the card holder but we do not know if this is true, unless we know the inner workings of the identity provider. We should also consider revocation; there is no way to revoke a self issued card. OpenID providers may provide a way to kill an OpenID
However if we become an identity provider ourselves then we have a greater chance to verify any information we send beyond a PPID. Of course with the Geneva framework that becomes plug and play for people with an Active Directory backing their user metaverse; or, like SharpSTS a bit of coding if you use something else.
So consider a banking scenario; when you open a bank account in the UK you have to prove your identity by providing a passport, driver's license or other governmental photo identity. A bank is not going to accept a photo ID backed by Get Rid Of Slimy girlS. Equally a bank is not going to accept an identity card from a company it doesn't have any dealings with. So why should a bank accept a self issued card or an OpenID to allow access to your accounts?
Now arguably self issued cards and OpenIDs could be bound to an account if the bank could trust a user to look after their information; but as we're all aware everyday users are not good at this.
The advantage to a managed card is not that the transactions are more secure, but that a bank could issue its own information card (or its own OpenID - but that goes against the whole point of OpenIDs really, OpenID wants to be the sole username and password you use for everything) and know that the card is valid at every stage; further more a bank can revoke a card on instruction from the account holder. Remember that managed cards don't have to prompt for usernames and passwords (although a nice extension to that would be the ability to change the password prompt each time its used - "Give me letters 3, 5 and 7 from your password" for example), so the flow for a user could simply be selecting the bank's information card; even if we issued a managed card which looks for a self issued card as the authentication process we can still revoke the managed card.
If you're at TechEd go ask Vittorio for his thoughts on this; tell him I sent you *grin*