What stops root from modifying the source code to, for example, record user passwords?<p>It seems that, for this to really work, you'd need to run it on a machine running, i.e. SELinux and MCS. You'd have to restrict physical (console) access as well, so 1) no running it on a VM and 2) enforce the "two-man rule" for access to the server room as well.<p>That said, I guess it's certainly a big step up from nothing.
The strangeness I see is that the /delegate call isn't specific. I can't say that I want Joe to be able to decrypt LaunchCode3, so I could end up inadvertently allowing Mary to decrypt SecretLocation without really wanting to - it is wide open to timing attacks. This doesn't seem like a fundamental flaw, just something (maybe) overlooked in v1. Very cool stuff.