Adam Lydick writes:
I'd guess that no applications (besides the secure nexus) would have access to your "list of doggie names", just the ability to display it. The list just indicates that you are seeing a window from one of your partitioned and verified applications. I would also assume the window would get decorated with the name of the trusted application (not just your secret list). Thus you only need a single secret list to handle all of your "authorized" applications.
That makes sense. However it puts the burden onto the user to closely inspect his window frames in order to make sure that he is talking to the program (or NCA in Palladium) that he thinks he is talking to. It also introduces the problem of program-name spoofing; you might be given a dialog to enter your password for Paypa1 or E-Go1d. If users were that careful, we wouldn't have these kinds of problems in the first place.