Summary
A lot of topics came up during the brainstorm, and I've tried to divide them up by sensible semantic groupings to summarize. The full notes are below:
Presentation / Interaction of Security UI
- always intercept user at point of task
- modify page content and in-page UI controls to make them more secure
- signal danger instead of safety
- provide safe alternatives, and enough information to make a decision
- don't ask the user to make a decision if they won't be equipped to do so (ie: no blamecasting)
- fewer dialog boxes with forced choices, more useful controls that help people make secure decisions
- let users reverse/revisit trust decisions
- always take safe path by default and validate/verify with users
Security Context Information to Leverage
- geo-location of endpoint (based on IP/tracert)
- FOAF or similar social network trust indicators
- user's browsing history
NetTrust, pagerank, delicious bookmarks
Technology to make Security Invisible/Part of Implementation
- SRP
- DKIM
- build up library of malicious code samples as XPATH snippets and block them at parser level
- bind password to SSL session (EKE)
- never send proxy-auth password in the clear
Nicely transcribed notes from the brainstorm
The whiteboarded notes from the brainstorm
