What about a non-normative link from the spec to a place on the wiki where we can collect security considerations for it, and update those in real-time as discussions such as the phishing one progress.