Balancing Security and Usability

[SteveLasker]

A core goal of Notary v2 is to balance usability, security, and functionality. As we develop the APIs, CLIs, and configuration stores, we must think about these aspects:

1. Enabling good actors to make safe and secure choices, making it easy to do the right thing, and hard to make mistakes
2. Protecting the system from bad actors, who will go to great lengths to destabilize and exploit the system.

The notation client supports configurations, including trust store policies. A bad actor will go to extraordinary measures to alter the configuration files. To secure these files from bad actors, we should place them in a location the normal user would be unable to modify.

As we develop CLIs to interact and configure notation-enabled clients, we should provide CLIs that help the users do the right thing, minimizing the possibility of making mistakes. These include configuring the local trust policy stores. Manually editing configuration files are prone to errors. Adding a command to configure an option doesn't make the system more secure as the bad actor will simply edit the file through other means. Any actor that attempts to alter the configuration files should be guarded through secure access to the files, not whether a CLI command makes it easy to accurately configure an option.

As we develop Notary capabilities, we should weigh the following options:

1. Can a good actor easily make a safe and secure choice?
2. Is a bad actor blocked, based on security, not usability.