[6337] in cryptography@c2.net mail archive
Re: starting up servers that need access to secrets
daemon@ATHENA.MIT.EDU (Ted Lemon)
Wed Jan 5 16:47:35 2000
Message-Id: <200001051636.LAA14057@grosse.manhattan.fugue.com>
To: Rich Salz <salzr@certco.com>
Cc: cryptography@c2.net
In-Reply-To: Message from Rich Salz <salzr@certco.com>
of "Wed, 05 Jan 2000 11:12:19 EST." <Pine.BSI.3.96.1000105110802.19961I-100000@haggis.ma.certco.com>
Date: Wed, 05 Jan 2000 11:36:36 -0500
From: Ted Lemon <mellon@isc.org>
> I was assuming the adversary had physical access to the machine's console
> and could reboot, etc., at will, which seems to make your defense moot,
> at least for the (very few) systems I'm aware of.
Yes, if they have physical access life gets very complicated. :'}
But most organizations I've worked with address this problem by
sending to-be-trusted employees' fingerprints to the FBI and having
trusted employees audit each other. I think that the idea that
security can be *completely* automated is probably wrong - you always
wind up trusting *someone*. E.g., what if the maker of your security
card has a mole on the production line who compromises your card?
_MelloN_
