Stefan Brands, eminent privacy and security researcher, asks good questions about user-centric identity. (I think they apply regardless of protocol. I have taken the liberty to replace some geeky terms with more plain ones, because I think it’s important that as many people as possible understand these questions)
- Can the individual consent to or withhold the release of identity data to anybody, any site, any company etc.? (on a case-by-case basis, informed, non-coerced,…)
- Can the individual see the actual identity data that is flowing? (Or is it encrypted for the receiver, so the user needs to trust their software vendors?)
- Can the individual hide the identity of the receiver of the information from the software system / website / organization that stores the identity information? (for example, does Visa know it every time you show your credit card?)
- Can the individual hide which information they wish to convey to anybody from the software system / website / organization that stores the information?
- Can the individual locally store and manage long-lived identity credentials? (If not, then all the individual’s actions – and therefore accounts – can be traced, simply by tracking what happened when)
- Can the individual pick and choose which attributes of the identity credentials are disclosed to anybody?
- Can the individual avoid using the same identifiers (think: social security number)? (If not, others can easily link the individual’s actions all across the web)
Stefan’s more technical list is more precise, and a bit broader; please consider his original post for more details.