A MicroID is a simple identifier comprising a hashed communication/identity URI (e.g. email, OpenID, and/or Yadis) and claimed URL.
Assuming the identity is not known (e.g. 1) the publisher has chosen to remain anonymous and 2) denies others the ability to verify the MicroID claim until a time in the future when the use reveals their identity) then someone with email addresses can perform a trivial dictionary attack to find ownership of resources, [2] someone with a URI can perform a trivial dictionary attack to find an email address.
[3] So the (only) remaining usecase is where an entity generates a strong cryptographic nonce (e.g. a UUID); uses this to publish documents over time—and at some time in the future reveals the UUID as to prove that the use wrote those documents (and accepts that from that point forward anyone can make any claims on his or her behalf).
However, research[2] on popular social websites such as Last.fm, Digg and ClaimID show that a brute-force attack can decrypt the email address in 20–25% of the cases.
Despite this, the study showed a simple attack like this one could still be successful one quarter of the time while spending a fraction of a second to check all candidates for each user.