On Tue, 29 Jan 2008, John Denker wrote:
> The foregoing makes sense, and is in extreme contrast to the situation
> I am faced with, where Joe logs in with the help of Jane, and then
> Jane leaves. Jane has not the slightest control over what Joe does
> while logged in. I don't see a sane procedu
mark seiden-via mac wrote:
another term you might look for (used in physical security and
financial controls) is "dual custody" or sometimes "double custody".
You might also try "Shamir's split key knowledge" which has been
around for many years and there is even a demo of how it works as
Hi,
> I have been asked to opine on a system that requires a
> "two-person login". Some AIX documents refer to this as
> a "common method of increasing login security"
> http://www.redbooks.ibm.com/redbooks/pdfs/sg245962.pdf
I would like to have a two-person re
On Tue, Jan 29, 2008 at 03:37:26PM -0600, Nicolas Williams wrote:
> I think you missed John's point, which is that two-person *login*
> says *nothing* about what happens once logged in -- logging in
> enables arbitrary subsequent transactions that may not require two
> pe
etrap), but it can help
> remind them how they are expected to interact with systems.
OK, that's clear and helpful. Thanks.
The point I take away from this is that _procedure_ is primary
and fundamental. Technology is secondary. The two-person login
is technology, and it is only icin
On Tue, Jan 29, 2008 at 06:34:29PM +, The Fungi wrote:
> On Mon, Jan 28, 2008 at 03:56:11PM -0700, John Denker wrote:
> > So now I throw it open for discussion. Is there any significant
> > value in two-person login? That is, can you identify any threat
> > that is all
l be. The two-person login requires the approver to be
present at login time, but does not require the approver to
remain present, let alone take responsibility what Joe does
after login.
c) The only threat model I can come up with is the case where
Joe's password has been c
On Mon, Jan 28, 2008 at 03:56:11PM -0700, John Denker wrote:
[...]
> I don't think it is very common; I get only five hits from
> http://www.google.com/search?q=two-person-login
[...]
Try searching for "secret splitting" instead.
> From the foregoing, you might conc
nation mode which allows access only when two different
three number combinations are dialed within 10 seconds of one another
c-Supervisory/subordinate mode
On Jan 28, 2008, at 2:56 PM, John Denker wrote:
Hi Folks --
I have been asked to opine on a system that requires a
"two-person
Hi Folks --
I have been asked to opine on a system that requires a
"two-person login". Some AIX documents refer to this as
a "common method of increasing login security"
http://www.redbooks.ibm.com/redbooks/pdfs/sg245962.pdf
However, I don't think it is very comm
10 matches
Mail list logo
