> I was assuming the adversary had physical access to the machine's console
> and could reboot, etc., at will, which seems to make your defense moot,
> at least for the (very few) systems I'm aware of.
Yes, if they have physical access life gets very complicated. :'}
But most organizations I've worked with address this problem by
sending to-be-trusted employees' fingerprints to the FBI and having
trusted employees audit each other. I think that the idea that
security can be *completely* automated is probably wrong - you always
wind up trusting *someone*. E.g., what if the maker of your security
card has a mole on the production line who compromises your card?
_MelloN_
