From a technical perspective, it's simply wrong for a design to outsource a critical access control decision to a third party. My computer should decide what sites can turn on my camera and microphone, not one of Adobe's servers.
The policy side is even worse. What if the FBI wanted to bug you? Could
they get a court order compelling Adobe to make an access control decision
that would turn on your microphone?
We've also been starting to think about the issues of law enforcement
access that arose during the crypto wars and that came to light again with
CAs. These issues are even more wicked with trusted boot. If the Turkish
government compelled Microsoft to include the Tubitak key in Windows so
their intelligence services could do man-in-the-middle attacks on Kurdish
MPs' gmail, then I expect they'll also tell Microsoft to issue them a UEFI
key to authenticate their keylogger malware. Hey, I removed the Tubitak key
from my browser, but how do I identify and block all foreign governments'
to post comments)