Path of Least Resistance
. The most natural way to do any task should also be the most secure way.
. The interface should expose, and the system should enforce, distinctions between objects and between actions along boundaries that matter to the user.
. A user's authorities must only be provided to other actors as a result of an explicit user action that is understood to imply granting.
. The interface should allow the user to easily review any active actors and authority relationships that would affect security-relevant decisions.
. The interface should allow the user to easily revoke authorities that the user has granted, wherever revocation is possible.
. The interface must not give the user the impression that it is possible to do something that cannot actually be done.
. The interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf.
. The interface should enforce that distinct objects and distinct actions have unspoofably identifiable and distinguishable representations.
. The interface should provide enough expressive power (a) to describe a safe security policy without undue difficulty; and (b) to allow users to express security policies in terms that fit their goals.
. The effect of any security-relevant action must be clearly apparent to the user before the action is taken.