> The usual good solution is to make a human type in a secret.
Of course, the downside is that the appropriate human must be present for the system to come up properly. In some situations, the system must be able to boot into a working state. That way, even if somebody accidentally trips the power-- I've had this happen on production boxen --the system outage lasts only as long as the boot time. If a particular human (or one of a small number of secret holders) must be involved, then the outage could be measured in hours rather than minutes. Don't forget that Availability is also an important aspect of security. It all depends on your threat model. --mkb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]