If I understood correctly, an identity provider may decide whether it will require the certificate of the relying party before releasing the personal data stored by it. I assume this also means that the identity provider can determine which relying party certificates it is willing to accept. If this is the case, then the client will not be able to use the infocard of such an identity provider unless the identity provider accepts the certs of that relying party.

From the identity provider's legal standpoint point it makes sense that it work this way, especially to protect the ID provider with regard to the data it is supposed to have verified and who relies on that verification.

On a day to day basis however, I see this significantly restricting the capacity of the client to use infocards at will (e.g. the ebay infocard for other communities).

This also opens up the issue of ownership of the personal data and the additional data associated with it (e.g. reputation as a seller/buyer in ebay).

This is really going to get interesting.....

Is my understanding correct?

Thanks,
J.