On Tue, 29 Jan 2008, John Denker wrote: > The foregoing makes sense, and is in extreme contrast to the situation > I am faced with, where Joe logs in with the help of Jane, and then > Jane leaves. Jane has not the slightest control over what Joe does > while logged in. I don't see a sane procedure here. It seems Jane > is signing a blank check.
Ah. Jane need not have a requirement to know what Joe is doing; in fact, Jane may not even be cleared for Joe's material. (This is not uncommon. Jane may be security officer, Joe may be payroll manager. Jane is not authorized to see payroll data or even use the payroll "joe" account.) What has transpired is that Joe cannot deny that he was logged on. He can further deny that other logins that he did not perform were done by him, assuming Jane is honest. Jane can attest that the login by user joe was done by human Joe. > It wouldn't be so bad if there were a development system separate > from the production system, but there isn't, so Joe spends all day > every day logged into the "high security" production system. Joe > can commit anything he wishes. There is no two-party review of the > commit, just two-party review of the login. Correct. Logins by Joe-impersonators, even those who have stolen Joe's password, say, are impossible without Jane's collusion. > Just to rub salt in the wound, they've got it set up so that everybody > uses the "Admin" account. There are N people who know the first half > of the Admin password, and M people who know the second half. Besides > being an incredibly lame form of secret-splitting, this has the nasty > property that when Admin logs in, you don't even know who was involved. > There are M*N/2 possibilities. There is no accountability anywhere. This is sounding something like the FBI's method for getting at certain sensitive info, that was recently subjected to criticism. There was only one account to access the data, all operatives had the password. Adding "Jane" sounds like an inept fix. Dave --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]