9.6 Security as a Property of Architecture

PTERI security does not depend on:

• Policies
• User education
• Manual review
• Trust in operators

It depends on:

• Where keys live
• What servers can do
• What cryptography allows

If a system cannot do the wrong thing, it does not need to be trusted.

---