Kim Cameron has posted seven very sensible Laws of Identity. Numbers 2 and 3 add up to more or less Need to Know:
2. Limited Disclosure for Limited Use
The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.
3. The Law of Fewest Parties
Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.
But user identities have aspects that go beyond traditional spook security.