User talk:Mstone/Rainflow: Difference between revisions
Jump to navigation
Jump to search
m (New page: === Peer review Activity === Instead of making it a pure "security" activity (that "just gets into the way" like any security stuff and thus will be circumvented) it might be better to us...) |
mNo edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 6: | Line 6: | ||
-- Sascha Silbe |
-- Sascha Silbe |
||
=== Questions === |
|||
SSL and browsers as they are used today. |
|||
What's the interesting evidence? |
|||
* cjb points out: attestations about country of origin are helpful for anti-phishing efforts because some countries' providers are much more responsive to complaints than others'. |
|||
What's the ceremony? |
|||
What business opportunities does Rainflow offer? |
|||
* (e.g. greater brand visibility to trustworthy attesters)? |
|||
=== Other Ideas === |
|||
* Do what is safe; prompt for unsafe things. |
|||
* So what about that covert channel in CSS for detecting what sites you've visited? |
|||
* Cards (business, credit, ...) and statements need to start carrying fingerprints and barcodes. |
|||
** Then I can compare my cards with other people's. |
|||
* The key lies in encouraging people to commit to things that are easier for legitimates to do than for impostors. Repeated application of this principle gives hardness amplification. |
|||
* So how does this play into REST? and sessions? |
|||
* Also, how about search and browsing? |
|||
** Perhaps people have templates that describe what kinds of data they're looking for? |
|||
* Why did sshkeys.net fail? |
|||
=== Examples === |
|||
* Paul's geodata example |
|||
* Automated scans of machines and software. |
|||
* CAcert assurers |
|||
* PGP key signings |
|||
* "User clicks" vs. auto-updates |
Latest revision as of 00:32, 24 June 2009
Peer review Activity
Instead of making it a pure "security" activity (that "just gets into the way" like any security stuff and thus will be circumvented) it might be better to use a peer review approach, helping both the author and the peers to learn (about security etc.) while doing the certification.
A shared "source browser" with highlighting/bookmarks and chat might be a good start.
-- Sascha Silbe
Questions
SSL and browsers as they are used today.
What's the interesting evidence?
- cjb points out: attestations about country of origin are helpful for anti-phishing efforts because some countries' providers are much more responsive to complaints than others'.
What's the ceremony?
What business opportunities does Rainflow offer?
- (e.g. greater brand visibility to trustworthy attesters)?
Other Ideas
- Do what is safe; prompt for unsafe things.
- So what about that covert channel in CSS for detecting what sites you've visited?
- Cards (business, credit, ...) and statements need to start carrying fingerprints and barcodes.
- Then I can compare my cards with other people's.
- The key lies in encouraging people to commit to things that are easier for legitimates to do than for impostors. Repeated application of this principle gives hardness amplification.
- So how does this play into REST? and sessions?
- Also, how about search and browsing?
- Perhaps people have templates that describe what kinds of data they're looking for?
- Why did sshkeys.net fail?
Examples
- Paul's geodata example
- Automated scans of machines and software.
- CAcert assurers
- PGP key signings
- "User clicks" vs. auto-updates