TODO: needs to be foleded in.

TODO: People who had comments on this during the meeting we discussed it in should fold them in here.

Todo: fold in /2006/WSC/wiki/NoteMozillaCurrentPractice

1) Making security indicators hard to guess, thus hard to spoof correctly

This is the category of security indictors that represent "shared secrets" between an entity that the user (in theory) trusts, whether it's the web user agent, or a particular web site/service. Examples include dynamic security skins (, petnames (and passpet), and web site personalization techniques (/2005/Security/usability-ws/papers/21-wright-position/).

Does anyone have other examples, or any better references on web site personalization or secret sharing? Something similiar but not exactly the same is Lotus Notes' display in the password prompt of a selection from a set of pictures (keychains) based on the user's typed input.

2) Designing a trusted path around security indicators

I'm guessing no browsers do that in general today, but it's the classic security technique ( What ctrl-alt-del provides today in some OSes. Rich clients such as Lotus Notes do not provide functions to put up displays where, for example, the security indicators at the bottom of the window are. A mode where no active content or secondary windows were allowed at all might provide this.

All interactive ceremony work would fall here (I believe). For example, Web Wallet. I'm not quite sure if the password management aspect of Passpet (and others) goes here. I think perhaps it does, along with other techniques and protocols that ensure that user information only goes to the places it's already been, or where the user intends, or no where at all (protocols that prove the site has a secret without passing that secret).

Other references/examples?

3) Specific techniques restricting the ability of web sites to produce displays that spoof or suppress web user agent security indicators

During discussion in the f2f I heard that (some? all major?) browsers a) do not allow web content to move the edges off browser window out of the display area (which might move security indictors out of the user's view) b) do not allow web content to put up windows without a minimal subset of security or other indictors (what were they?).

Are there other techniques in use or under consideration?