...the digital natives may be getting some better tooling faster than I thought. I am sure you already know there is a northern alliance and Redmond is U-Prove enabled. I fondly remember a lengthy conversation I had with Stefan Brands in Croatia several years ago, while he patiently explained to me how misguided the security-privacy collision course way of thinking is, and instead how real security is only achieved with privacy. If you have not already, I recommend you read Stefans' primer on user identification.
Here is hoping that the combination of Stefan's breakthrough innovation and some Redmond engineering talent equals a third security mechanism that we can all use (we already have the reference monitor (sort of) and crypto (ibid) a third mechanism wouldn't hurt). As iang points out its all about minimal disclosure. I guess what I see as the potential breakthrough is the mixture of the composeable CBAC packaging framework with a set of algorithms that avoid the panopticon. An obvious worst case for SOA, Web services security is that instead of optimizing and creating interop for increased (read message level) security, we instead optimize a panopticon! Instead we want to keep the interop but not enable the linkage which is the precise problem that Stefan's work addresses.