A couple weeks ago I talked about a little problem I had with VeriSign PiP. I thought you had to create a unique PiP account for each OpenID you wanted, but it turned out that PiP lets you use multiple OpenID’s in the same PiP account. So I emailed PiP support and Gary Krall, the technical director of PiP, replied. I explained the situation in which I created the extra PiP account and registered the OpenID. Then I realized my error and removed the OpenID from the new account, so I could add it on to my original PiP account, but PiP kept saying the OpenID was still in use. Here’s Gary’s reply:

The way the system is currently structured is once an identity has been created “claimed” if you will, and then deleted in our database we do not “release it”. The reason behind this is we’ve given some thought to in the future allowing users to reclaim identities they have previously deleted. Also there is a chance that a user may have actually established a trust request with a relying party and we do not want to get into a situation where a user established a trust, deleted it, and then suddenly that persona was claimed by another user. We’re trying to keep accounts bound as close as we can.

I totally agree with Gary. I don’t like letting old email addresses go stale and subsequently get released. I may no longer use them, but they still might have some accounts tied to them and I wouldn’t want that to be vulnerable. This solution the VeriSign guys came up with seems to fix that problem. So I decided to poke and prod Gary a little more to find out some other details.

First I asked him why there is no overall account info that is tied to each of the OpenIDs so that they all use the same info.

He explained that they originally had this feature, but it was dropped in lieu of customization of each OpenID. In this way, each OpenID could serve as a different persona that you may want to present to one website but not another. I can see that argument, but I don’t think I personally would want to be a 29 year old male on some site and a 14 year old female on another… unless I was a creepy guy on myspace… Anyway, they did include a little feature as you can see above where it will copy the data from the right pane to the selected field in the left pane. This means you’d have to update all your OpenIDs if any of your info changes, but this is still a nice shortcut to have.

I also asked Gary about whether you could have multiple security tokens per PiP account. Earlier I mentioned how Steve Gibson talked about this on a recent Security Now! podcast. Well, Gary replied:

Not in the immediate future. It is on the list of possible enhancements but we have more to do than team members to do it.

More enhancements than team members. Don’t we all know how that goes…