One of the 'more' things that the TKE does is to enforce dual controls. That is, it takes two people (and maybe more) to make certain changes to the hardware.
Especially the PIN (credit card) related controls, you want that dual control. The ACP to enable 24-byte DES-MKs also requires at least two people to be involved. And while that might be something that you wish was easier to turn on (create a RACF profile to enable it), you almost certainly would NOT want to make it that easy to turn off. Greg Mainframe Crypto www.mainframecrypto.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
