On Wed, 1 Jun 2005 11:53:51 +0930, Brett Lymn writes:
>> Because I only need one.  This is an embeded OS in a device.  I only
>> want it running s/w that is shipped by the manufacturer.
>
>Yes, that's ok for you - I was thinking more out loud than suggesting

Sorry, yes I know.  My example is perhaps the simplest case.
A vendor shipping an embeded OS that wants to be tamper resistant.


>two man rule is common where you have a security critical function
>that is too risky to trust to one person who could be
>coopted/subverted.  An obvious (and well known) example of this is
>launching a nuclear missle - both members of the team must cooperate

Actually a CA private key was what sprang to my mind - hence my
question - how many people actually need that? (or to launch missles? ;-)

I'm not saying any of these are bad ideas mind, just hedging against
over-engineering.  I'm sure the folk that want to launch missles can
customize the thing a little ;-)

I liked the original veriexec because is was just what I needed and no
more - ok, I improved some bits but you have most of the patches ;-)

--sjg