Two sides of Internet identity
The issue of identity on the Internet is a tricky one, and one of the things that makes it so confusing is that people often want them to do two different things:
- prove who someone is: the web site really is EBay's.
- prove who someone isn't: that email isn't from a well-known spammer.
This is confusing because the issue mostly doesn't came up in the real world, where physical identities are generally one to a person. Checking drivers' licenses at the door is all you need, whether you want to enforce a guest list or keep your creepy stalker ex-boyfriend out.
But no feasible Internet identity scheme is one to a person. This means that while Internet identity schemes (ranging from Microsoft Passport to LiveJournal user names to OpenID) can provide positive identification (you are someone I know), they cannot provide negative identification.
In turn, this means that if you need negative identification on the Internet the only way to create it is manually, with a 'whitelist' of positive identification. If you want to make sure your creepy stalker ex-boyfriend is not reading your LiveJournal, you have to restrict who can read it to only people you've approved (and hope that you haven't been fooled by one of them).
Even positive identities mean less than people would like them to because it is very hard to reliably link one identity to another, especially to real world identities. VeriSign itself was once fooled into issuing a SSL certificate to a 'Microsoft' that wasn't the one headquartered in Redmond Washington (one story on this is here).
Any time someone proposes an Internet scheme that relies on negative identities (including but not limited to 'we can kill spam by requiring everyone to digitally sign their email, then refuse email signed by known spammers'), you should run for the hills.