User talk:Mstone/Rainflow

Peer review Activity

Instead of making it a pure "security" activity (that "just gets into the way" like any security stuff and thus will be circumvented) it might be better to use a peer review approach, helping both the author and the peers to learn (about security etc.) while doing the certification.

A shared "source browser" with highlighting/bookmarks and chat might be a good start.

-- Sascha Silbe

Questions

SSL and browsers as they are used today.

What's the interesting evidence?

• cjb points out: attestations about country of origin are helpful for anti-phishing efforts because some countries' providers are much more responsive to complaints than others'.

What's the ceremony?

What business opportunities does Rainflow offer?

• (e.g. greater brand visibility to trustworthy attesters)?

Other Ideas

• Do what is safe; prompt for unsafe things.
• So what about that covert channel in CSS for detecting what sites you've visited?
• Cards (business, credit, ...) and statements need to start carrying fingerprints and barcodes.
  • Then I can compare my cards with other people's.
• The key lies in encouraging people to commit to things that are easier for legitimates to do than for impostors. Repeated application of this principle gives hardness amplification.
• So how does this play into REST? and sessions?
• Also, how about search and browsing?
  • Perhaps people have templates that describe what kinds of data they're looking for?
• Why did sshkeys.net fail?

Examples

• Paul's geodata example
• Automated scans of machines and software.
• CAcert assurers
• PGP key signings
• "User clicks" vs. auto-updates