Trusting the trusted third parties?
The higher value certificates proposed for InfoCard - and for the IE 7 phishing filter, and which other browser developers are evaluation - are one attempt to improve on devaluaed certificates. The lock in the IE status bar tells you nothing about the site you're connecting to, just that you've got a nice secure connection to whatever it happens to be. The plans for the high -security SLL certificates are that a business might have to supply the history of their company bank account, they might need to give a power of attorney to say that John Smith in the web development team is allowed to apply on behalf of the bank. The idea is not to rely so much on trusting the registrars as on having a trusted and secure process. And once there are higher-security certificates we'll need to expect businesses to get them or give us consumers a good reason why they haven't.
One problem with using PKI certificates is that they don't allow anonymity; one area both InfoCard and Higgins want to support. As Paul Trevithick puts it, "if we use today's certificates we'll build a digital wake that leads back to the poster". PKI certificates give everybody an id that's technically secure - but they don't give us much help with limiting the information we disclose. And certainly, they're not accessible to the average naive user. Nick and I could probably find someone in between us who we both trust enough to certify our reputations. But with the identity metasystem we could use the eBay, Amazon or Slashdot reputations we've acquired as identities.
And because the identity metasystem interconnects identity systems rather than replacing them, if you want to interact with PKI certificates to allow access to your site, you could do it with an STS. The identity metasystem will give sites more of a choice of identity providers; a site can accept Open IDs or NetMesh InfoGrid LIDs or PKI certificates or all of the above without having to code up for them all individually. Abstracting what an identity is from who certifies it makes identity far more flexible and useful. Verisign is signing up for it - but they don't have to be the identity provider we all use.