% > Among
% > the requirements is "separation of duties"--that is, it should be
% > impossible for a single individual, including a firewall manager, to
% > subvert the purpose of the firewall.
% > "Steve" Stephen L. Arnold, Ph.D., Principal, Arnold Consulting
% But seriously, is that really possible? Without thinking too deeply
% about it, my initial reaction is that it's a bit like trying to
% play yourself in chess: it's fairly difficult to outsmart yourself.
There are mathematical solutions to this. It is possible to design a
(mathematical) lock with n keys, and to open it you need a sufficienlty
large subset m of those n keys (most of the time m = n/2 + 1 or
larger). How you would _implement_ something like this so that it would
be possible to _work_ with this situation is an entirely different
% BTW, this question still applies even if you trust the designer
% %100 at the moment. (And obviously, if you trusted this person
% forever, then there would be no need to worry about this issue.)
It also keeps the designer from being sued as the one who broke into
the system (if that has happened). (S)he can "only" be held responsible
for not anticipating every attack.