Xorg Developer's Conference - Security Talk

Rough outline of talk/discussion follows:

Security Advisories/Response

Loadable module support for authentication methods. Could be done: provide registration function, call callback list passing connection setup information plus file descriptor; callback performs authentication entirely before returning decision to server.
Xtrans improvements. XCB doesn't use it. Could make it an actual library. Is a filehandle a sufficient abstraction?
XC-QUERY-SECURITY rework.

Have a research paper; will post link.
Improved resource lookup functions: still thinking about the prototype for dixLookupResource. Not sure if the DixReadAccess/DixWriteAccess flags are useful or necessary.
Use the resource system to store your module's objects.
Don't multiplex different operations through the same protocol request.

Security error handling. Right now, the Security extension "hides" denials from the user by returning false information. I would like to see the server begin returning actual errors, preferably BadAccess.
devPrivates rework. Currently have separate functions for each supported structure. Could standardize this into one set of functions.
Need to add devPrivates to additional structures: PropertyRec.
Window labeling: currently exporting properties to window manager. Feature request: need secure area for showing labels.
Secure handling of input events. Secure attention key support.