Thanks for the link…
My core concept of identity is the public key of a private-public key pair, from that permissions for anything that the identity can authorize are “granted” by signature of the private key on the object’s identity, plus any other parameters like time, bandwidth, size constraints. The “holders” of the object pass it to any authorized user. It gets interesting with shared authorities when you are keeping data encrypted at rest in third party locations…
Out-of-band identity verification is quite powerful and secure as compared to local authentication based systems, and it is actually “out there” with several major providers that have hundreds of millions of users already semi-trained in how to use it. It would be nice to have a separate-distributed identity authority to avoid dependence on “the big guys,” but it would be a big uphill climb to get it used outside of your own ecosystem, IMO.