Pamela Dingle takes some Liberty dudes to task for being obsessed with the letter of the spec. Her, perfectly reasonable, stance is that if she chooses to link a self-issued infocard to her bank account, then that’s at least as secure as any other means we know of for authenticating. Of course, she’s left out of this equation how she gets to make that association, and, of course, the Liberty dudes think you should only make such associations via the middleman of some kind of certificate issuer.
But there’s no reason to involve any card issuers in this at all – we have to have a relationship with the bank to get this off the ground in the first place, regardless of authentication mechanism, and, however that relationship works, we can use it to inform the bank about our self-issued card. Once we’ve done that we have strong authentication with the bank, no need for IdPs, CAs or any of that stuff. In fact, our authentication is stronger than if we had involved a third party – with a self-issued card, no-one else is in a position to make a forgery.
And, of course, we’ve removed a potential correlator of our activities from the equation. Score one for privacy.