The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution.

One of the tenants of the "Laws of Identity" is minimal disclosure; so why are people ignoring this when they implement Information Cards?

There are a three main uses (in my mind) for Information Cards; "form filling" (email address, name, etc.), authentication and authorisation via claims; all important as I try to write the last bit of SharpSTS and start to issue my own demonstration cards. These are separate functions in most web sites, form filling is used in the initial registration process, authentication at login time and authorisation during runtime; but in the information card sites I use (the main one being; which is an OpenID provider, and Pamela Project backed WordPress blogs, such as Kim’s) "form filling" and authentication happen all the time.

When you design your web site your login page is probably going to ask for two things; a username and a password (and perhaps if the user wants to be remembered). You don’t ask the user for their email address, their first name and their last name every time; that is the function of initial registration; yet when you look at the claims requested by Information Card sites right now you see the following (this is the information that is being requested from Kim’s blog; requests the same);

Too Much Information

During logon the only real claim you require is the PPID - the equivalent of username and password; so why are these sites also asking for name and email address? There’s an argument here that they may not store that information; which certainly isn’t true with; they save the details as part of the registration process; they shouldn’t need it again unless it changes. You could argue that this way they can detect changes automatically, which makes for a smoother user experience; this is true, but the idea of a web site changing my information without telling me or without more interaction worries me somewhat.

Of course we can extend this; the date of birth claim is a good example. To take Vittorio’s usual example of wine/beer shops; they don’t need to know your date of birth, simply that you are of legal age. This is more complicated as there is not a standard claim for this sort of information; and of course the age varies from country to country; an Over18 claim in the UK would not be valid in the US because there you need to be over 21 (it’s at this point I start to wish for wildcard, standardised claim names so I could create a card which supports AgeOver* instead of creating a card with numerous claims of varying AgeOver claims).

I realise I’m kind of stretching the original minimal disclosure law; but to request all that information every time? That just seems wrong to me.