I finally got around to playing around with some of the new features of the Verisign OpenID provider, PIP. One of the interesting new features they have added is a Firefox plugin called Seatbelt. Seatbelt automatically detects attempted OpenID authentication and automatically populates the ID field. It also will show your PIP session status and forward you to the PIP login page if needed. That’s very important from a usability standpoint.
I tried it out and it work pretty well, although doing the Relying Party first use case with a brand new web session seemed a little rough on a couple of site. Overall it was a really good user experience.
Here is an interesting question. Why do so many browser plugins for identity support Firefox rather than IE? I haven’t built a browser plugin so I don’t know how hard it is to do it in IE vs Firefox, but it seems odd that the first choice wouldn’t be the most popular browser.
Then I tried out the Information Card support in PIP. It was quite unexpected how it worked. I had imagined that I would be able to register a self-issued card and be able to authenticate to PIP as an OpenID provider using a Self-Issued Card.
What happens instead is that you authenticate to PIP using your User ID and Password and then download a Managed Information Card that has PIP as the IdP. Then for future OpenID sessions you can authenticate to PIP (which is your IdP) with a Managed Information Card which as PIP as the IdP.
Confused? It seems Information Cards is being used as a Phishing resistant user ID and Password login. In other words if you use the Managed Card option instead of using the web form for authentication, you are very safe from a phished MITM attack. This is a use case I had never thought of.
If I am misinterpreting this I would appreciate it if someone would let me know.
Now what would be really cool would be if my PIP Managed Information Card could be used to do SSO to other Information Card enabled sites. That way PIP could be my IdP for both OpenID and Information Cards.