I have recently been reading the discussions between Kim Cameron and Dick Hardt, not to mention the outside commentary as well, concerning the use of client sided security and where it fits in. I found this very interesting due to the fact that when I initially began playing with InfoCards, this was one of the features that drew me in. I am neither an identity nor security expert, nor have I had much time to play around with OpenID (that will be changing soon), so I am going to assume my final understanding of what I read is correct and that OpenID currently needs an additional third-party plug-in to perform the same client sided security as InfoCards. If I am incorrect in this assumption, someone please correct me.
If this really is the identity revolution, power to the people and all that jazz, then it really needs to be done correctly from the start. Personally, how it all works or what protocols are used is of much lesser concern to me than what will happen when the technology gets in the hands of my Dad. You can all stop wondering WTF I am talking about as I'll elaborate on that.
Most everyone reading this is tech savvy enough to understand the threats the Internet poses and can configure their system to prevent/eliminate most of them. Now how many of you out there also have family members with computers and when you talk to them its pretty much a miracle when they don't have some problem or another? Come on tell the truth, everyone has at least one person in their family like this. To top it off, guess who gets to be their tech support....
Unless all the pieces of the puzzle are already part of the package, there are going to be a lot of unfinished puzzles. I have a hard enough time trying to walk him through installing most programs (you know the ones where you pop the CD in the drive and click "Install"). When the average Joe finally gets a hold of a new digital identity (whatever form it ends up being), do you really think they realize there is a potential security risk? I sure don't and because the client sided security piece is an add-on rather than a requirement, the average Joe never installs it. Their digital identity works just fine so of course there is nothing else that needs to be done. It won't be until you get the phone call that their information was stolen, or some other story that you even realize they even started using a digital identity let alone didn't have enough protection.
I'm not arguing for or against the use of InfoCard, OpenID or any other solution out there. I just really think that the client piece should be mandatory. Take for instance all the people scammed by phishing sites over the years. Prior to the support being built into browsers now, third party plug-ins and add-ons existed to protect against it, yet people still fall prey to them. If something could have been done from day one to prevent it, or at least minimize the risk, don't you think it would have been a good idea to implement it off the bat? IMO, the chance for that is now for these identity solutions.