two-person login?

The Fungi fungi at yuggoth.org
Tue Jan 29 16:52:57 EST 2008 

On Tue, Jan 29, 2008 at 03:37:26PM -0600, Nicolas Williams wrote:
> I think you missed John's point, which is that two-person *login*
> says *nothing* about what happens once logged in -- logging in
> enables arbitrary subsequent transactions that may not require two
> people to acquiesce.

Certainly, but then neither does a one-person login (people can
always log into a system and then walk away to get a cup of coffee,
for that matter).

> What if one of the persons leaves the other alone to do whatever they
> wish with the system?  Or are the two persons chained to each other?
> (And even then, there's no guarantee that they are both conscious at the
> same time, that no third person shows up and knocks them out *after*
> they've logged in, ...)

Of course, this is common sense. These are human problems which I do
not think can *ever* be solved through application of cryptography.
As I said, requiring two sets of credentials can act as a reminder
to work together, nothing more. There's no way that I know of to
force a person to pay attention, or for that matter do anything they
do not wish to do.

> When you force two people to participate on a *per-transaction* basis
> then you probably get both of them to pay attention, though such schemes
> might not scale to thousands, or even hundreds of transactions per-team,
> per-day.

Agreed--it would be nonsense to dream otherwise. My only point was
to suggest that there are some circumstances in which a system like
this can be helpful/useful, which was one of the questions John
asked. It is simply necessary that when employing such a system, you
be aware of what problems it actually *can* solve, and what problems
it cannot. I have no doubt that some people attempt to employ these
sorts of solutions in ways which they are indeed inapplicable (or
put too much faith in the false sense of security it gives them),
possibly at the urging of their snake oil vendors. This is why
scrutiny of the *application* of a technology is at least as
important as scrutiny of the technology itself.
-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi at yuggoth.org); IRC(fungi at irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi at yuggoth.org);
MUD(fungi at katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list