Usability Workshop Part 4

Part 1 Part 2 Part 3

At break we discussed Sitekey. The idea of presenting the user with a secret such as a user selected picture in order to authenticate the log in process is useful. To be secure though it has to be in the chrome. Otherwise I can get the sitekey through a phishing attack.

Another point brought up at break that I have to work into my talk is that we have to change the nature of the game so we are playing chess, not whack a mole. And I want to be able to extend any solution to address more than just the one type of crime.

Tyler Close demonstrated his Pet Name Tool. Pretty good idea, give the user the tools they need to customize their security context.

Amir is going to present a tool that essentialy implements Secure Letterhead without the CA side support. I am going to focus on the CA side of the proposal.

He just mentioned the infamous browser list. Actually things are worse than he suggests, Microsoft can push out additional roots at any time and there is no mechanism to tell the user it has happened let alone agree/disagree.

The VeriSign authentication process is not merely passive validation of documents, there is an active part to the process. There has been a well publicized failure which was detected internally and brought to the attention of the impersonated party and the public by VeriSign.

[Reminder: make the I don't speak for my employer notice more prominent on this site]

Some discussion of 'high assurance CA' certs. People seem to be getting these mixed up with Server Gated Crypto premium certs. Must mention Tim's work at the CABForum.

The Ruhr Univ talk: lots of good points here, mostly low level incremental stuff but thats what we mostly need here, good solid incremental stuff.

If we could provide security for people who upgrade to a new browser version and do not have trojaned machines that is a very big step forward.