> They're not. [keys not collected by another agency]
Right. I think you're absolutely correct, now. And I fully expect (hope!) that the NSA will one-day come to you with some more-secure hardware and that you will gladly cooperate because as you say - we are all on the same team.
My point is that you can't say what you're saying now. You aren't secure, and you don't have the type of procedures that would ever let you get to more than a 4/10 or so. You don't even see having four independent points of failure as an issue, rather than a benefit.
By promising people that the NSA does not have your organization's keys you're providing the less technical with a false picture.
And maybe, one day, that might matter. You might trick the next leaker into trusting your org as a way to whistle-blow and cause them to be caught by the NSA before they reach the news.
> Yes, and at that point the name for it is "policy". [security procedures]
Yeah, and software is just automated policy. If this is a zero, and that's a zero, etc...
If the guard in the vault runs a non-exploitable policy (ie no "I'm the boss" backdoors) then you can greatly reduce evil-sysadmin attacks.
I'm just saying you're making claims you cannot possibly verify. You say nobody is collecting your keys even though all you have is a lack of evidence either way. I also think you're probably, accidentally, right in this case. But only because I doubt you really have adversaries who care.
You're confusing being uninteresting with being safe. (Safety is numbers is irrelevant once you've been selected.)
> Sorry, I'm not going to continue arguing with you.
I'm using the NSA as an example of a foe of sufficient capability, not saying that this is what they do (to our own agencies at any rate.) Someone who can trojan hardware, suborn any given person, etc.
I was hoping to use a very advanced force as an example to show that things that may sound secure aren't if your attacker has a certain level of resources.
Fwiw, most pen-testers would aso be able to bypass any such casually enacted system too, but that's less obvious so I had hoped to avoid that argument by going with an extreme example.
Yes, and at that point the name for it is "policy". These are our own keys after all- nobody would blink an eye if they were supposed to be collected.
They're not.