Mike made a very good remark on the OSIS General mailing list that seems relevant to the discussion between Pam, Paul, and myself about assurance in distributed security:
There’s a reason that self-issued cards didn’t provide any ability to transmit a credit card number or national ID number. The good news is that Identity Providers sending such sensitive information are likely to not be willing to transmit it to relying parties they don’t have a business relationship with. Once you’re using managed cards for payment rather than typing credit card numbers into web forms, you’ll definitely have additional layers of protection working for you. […]
I fully agree with Mike here: as fas as I understand, Mike is describing the IdP deployment model that Paul and I have been championing over the use of self-asserted cards for sensitive attributes.