User talk:Mstone/Rainflow

From OLPC
< User talk:Mstone
Revision as of 00:32, 24 June 2009 by Mstone (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Peer review Activity

Instead of making it a pure "security" activity (that "just gets into the way" like any security stuff and thus will be circumvented) it might be better to use a peer review approach, helping both the author and the peers to learn (about security etc.) while doing the certification.

A shared "source browser" with highlighting/bookmarks and chat might be a good start.

-- Sascha Silbe

Questions

SSL and browsers as they are used today.

What's the interesting evidence?

  • cjb points out: attestations about country of origin are helpful for anti-phishing efforts because some countries' providers are much more responsive to complaints than others'.

What's the ceremony?

What business opportunities does Rainflow offer?

  • (e.g. greater brand visibility to trustworthy attesters)?


Other Ideas

  • Do what is safe; prompt for unsafe things.
  • So what about that covert channel in CSS for detecting what sites you've visited?
  • Cards (business, credit, ...) and statements need to start carrying fingerprints and barcodes.
    • Then I can compare my cards with other people's.
  • The key lies in encouraging people to commit to things that are easier for legitimates to do than for impostors. Repeated application of this principle gives hardness amplification.
  • So how does this play into REST? and sessions?
  • Also, how about search and browsing?
    • Perhaps people have templates that describe what kinds of data they're looking for?
  • Why did sshkeys.net fail?

Examples

  • Paul's geodata example
  • Automated scans of machines and software.
  • CAcert assurers
  • PGP key signings
  • "User clicks" vs. auto-updates