Path of Least Resistance. The most natural way to do any task should also be the most secure way.
Appropriate Boundaries. The interface should expose, and the system should enforce, distinctions between objects and between actions along boundaries that matter to the user.
Explicit Authorization. A user's authorities must only be provided to other actors as a result of an explicit user action that is understood to imply granting.
Visibility. The interface should allow the user to easily review any active actors and authority relationships that would affect security-relevant decisions.
Revocability. The interface should allow the user to easily revoke authorities that the user has granted, wherever revocation is possible.
Expected Ability. The interface must not give the user the impression that it is possible to do something that cannot actually be done.
Trusted Path. The interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf.
Identifiability. The interface should enforce that distinct objects and distinct actions have unspoofably identifiable and distinguishable representations.
Expressiveness. The interface should provide enough expressive power (a) to describe a safe security policy without undue difficulty; and (b) to allow users to express security policies in terms that fit their goals.
Clarity. The effect of any security-relevant action must be clearly apparent to the user before the action is taken.
Reply With Quote