The dust has settled now after RSA and folks are starting to examine the implications of what came out of it, namely the widespread support for Cardspace and OpenID.

Reactions are not all positive: Mike Taulty (of whom I’m a reader) writes
"Is this about web pages or is this about my identity? Why would an identity solution involve a web page? Can I have an identity if I don’t have a web-page? If not, why not? HTML??? Are you kidding me?!?!?" [LINK]

Taulty raises the excellent point: "…we’re solving an identity problem with a presentation technology…"
Somewhat true. HTML and redirects are referenced in the OpenID spec. I think the point that might be getting lost is what you’re trying to do and that is "to say something about the subject" in this case that you are who you say you are. The OpenID spec simply employs DNS as a means to do this.

As Kim Cameron says [LINK] "How do I know I am looking at his web page or talking to his identity provider?  By calling them up on DNS.

… It is as strong, and as weak, as DNS.  In other words, it is great for transactions that won’t attract criminal attack, and terrible for those that will."

Now we all know the list of "transactions that won’t attract criminal attack" is somewhere between zero and the cardinality of the null set but let’s ignore that for now.

My take on OpenID is that it’s an alternative means to provide identity federation without a lot of the PKI overhead of say a WS-* specification. Think of it like REST-style XML over HTTP access to data. You could implement SOAP but a lot of folks prefer XML/HTTP as it’s much lighter weight and meets the need.

Hans over at Commented.Org writes
"And as fine technologies as they are, there is a problem: By centralizing the user’s many identities into a few (or just one), CardSpace and OpenID effectively create a single point of failure. Once the end-user has one identity, losing access to the same is devastating. Or to put it differently: when all your secrets are behind one locked door, you don’t want to lose the key to the door!" [LINK]

This one I actually can clear up quite well: The point of Cardspace, OpenID etc. is not to centralize a user’s identity at all. The point is to standardize on a meta-system by which identity information can be exchanged. You can still have as many identities as you have today. You can protect these identities and the services they in turn provide access to in a higher-assurance manner.

Even if you do maintain a single identity, not every site is going to need every piece of claim information that that identity contains. The meta-system provides a means to pass this around too.

Kim’s written at length on the need to do this and a great summary of the thinking behind it is contained in his laws of identity[LINK].