Just came across Chis Ceppi's blog posts on more Less Databases. He suggests that:

...some aggregation of identity information into centralized systems would be a big step in the right direction. Each aggregation point will be held to higher benchmarks for trust, security, privacy, and open standards than any completely decentralized system can ever attain.

I disagree on (at least) two accounts: first, he's still talking about multiple aggregation points, so by definition (and being admittedly nitpicky) we're still talking decentralized. But the major issue is: who controls the identity information?

Chis seems to think that we can and should trust a very few, highly secure, semi-centralized databases. Perhaps we should trust the government to hold all our personal information? Or maybe Microsoft? (As I used to say, 'the only good thing about Passport is at least Microsoft won't buy their database.') Personally, I would rather trust who I want to trust, whether it's my bank or a personal identity broker (like 2idi) or my own home server running a hardened personal copy of the open source i-broker software on an encrypted file system.

Such an i-broker can provide other sites with the ability to access and potentially even cache portions of my personal information, assuming they sign and abide by the specifics of the appropriate data sharing contracts. Adherence to these social contracts is governed by a mixture of technology and community reputation metrics that each community can define and manage as they see fit. Such social mechanisms simplify usability and puts the privacy burden on policies and trust federations (which I believe can become very powerful force indeed).

In this way, the number of databases truly drops to one, and as there is just one me - and I am the best authority for any information related to me - it seems natural and normal that I would be in control over my personal information.