1. Limitations to scripting capabilities, particular related to browser
chrome manipulation
2. Personalization of chrome with a visual that is sufficiently
random/personal. What happens to portability?
3. Interactive ceremonies that help establish a trusted path between
user and browser, e.g. Secure attention sequence (SAS). For security
sensitive functions, provide a SAS. Browser should make this possible.
4. Some kind of security monitor that monitors the security of the
connection. A separate channel that can't be spoofed.
5. Not having DTHML in certain modes.
6. Author using TLS when requesting user credentials.
7. Displaying a token on the website that authenticates the content
provider to the user. Make it a layered approach, initially show the
token on the website based on a cookie, and once the content provider is
authenticated, then ask for user authentication.
8. Consistent way to display Reputation Service data
9. Reserved screen real estate.
10. Certain screen rendering can only be done by browser and not by web
content, e.g. transparency.
11. Using alternative devices for authentication/transaction
confirmation, out of band authentication.
12. Password Key TLS (aka SRP TLS). Does it belong to this list?

Sunil