Things we'd like to do, but probably won't have time, or are in someone else's charter, or should be in the charter of some future WG
Fixing blogspam with a way to indicate a page came from an external source http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0016.html
A new record in DNS for the site to indicate security preferences/requirements the user agent should adhere to when visiting http://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/0147.html
Recommendations about presentation of detailed security context information for debugging and recovery purposes. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/0221.html
Session fixation attacks http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0031.html
Preserving context across applications as part of security context http://lists.w3.org/Archives/Public/public-wsc-wg/2006Nov/0087.html
Future looking areas raised by ANEC and Bruno: http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/0017.html