Right. I think you're absolutely correct, now. And I fully expect (hope!) that the NSA will one-day come to you with some more-secure hardware and that you will gladly cooperate because as you say - we are all on the same team.

My point is that you can't say what you're saying now. You aren't secure, and you don't have the type of procedures that would ever let you get to more than a 4/10 or so. You don't even see having four independent points of failure as an issue, rather than a benefit.

By promising people that the NSA does not have your organization's keys you're providing the less technical with a false picture.

And maybe, one day, that might matter. You might trick the next leaker into trusting your org as a way to whistle-blow and cause them to be caught by the NSA before they reach the news.

> Yes, and at that point the name for it is "policy". [security procedures]

Yeah, and software is just automated policy. If this is a zero, and that's a zero, etc...

If the guard in the vault runs a non-exploitable policy (ie no "I'm the boss" backdoors) then you can greatly reduce evil-sysadmin attacks.