PIP, Seatbelt, and a New Information Card Use Case

I finally got around to playing around with some of the new features of the Verisign OpenID provider, PIP. One of the interesting new features they have added is a Firefox plugin called Seatbelt. Seatbelt automatically detects attempted OpenID authentication and automatically populates the ID field. It also will show your PIP session status and forward you to the PIP login page if needed. That’s very important from a usability standpoint.

I tried it out and it work pretty well, although doing the Relying Party first use case with a brand new web session seemed a little rough on a couple of site. Overall it was a really good user experience.

Here is an interesting question. Why do so many browser plugins for identity support Firefox rather than IE? I haven’t built a browser plugin so I don’t know how hard it is to do it in IE vs Firefox, but it seems odd that the first choice wouldn’t be the most popular browser.

Then I tried out the Information Card support in PIP. It was quite unexpected how it worked. I had imagined that I would be able to register a self-issued card and be able to authenticate to PIP as an OpenID provider using a Self-Issued Card.

What happens instead is that you authenticate to PIP using your User ID and Password and then download a Managed Information Card that has PIP as the IdP. Then for future OpenID sessions you can authenticate to PIP (which is your IdP) with a Managed Information Card which as PIP as the IdP.

Confused? It seems Information Cards is being used as a Phishing resistant user ID and Password login. In other words if you use the Managed Card option instead of using the web form for authentication, you are very safe from a phished MITM attack. This is a use case I had never thought of.

If I am misinterpreting this I would appreciate it if someone would let me know.

Now what would be really cool would be if my PIP Managed Information Card could be used to do SSO to other Information Card enabled sites. That way PIP could be my IdP for both OpenID and Information Cards.

(Mirrored from TalkBMC)


One response to “PIP, Seatbelt, and a New Information Card Use Case

  1. Hi: I’m the technical director for the PiP/SeatBelt products here in Verisign labs.

    In terms of your question about using PiP Managed cards as SSO to other CS enabled sites – you can and here is how.

    You need to create what we call a PiP Managed Identity Card. This is different from your account card. To create one go into MyOpenIDs and click on the link which says “Create Information Card”. We use your OpenID indentifier to create a managed identity card. You can fill in as much information as you would like (you can pull attributes from your My Information to make things easier) download and save the card. You’ll notice in your selector its a different color with a different label.

    You can then use this to do exactly what you were suggesting.

    Hope that helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s