Why is Control-Alt-Delete the secure attention sequence (SAS)?

When we were designing NT 3.1, one of the issues that came up fairly early was the secure attention sequence - we needed to have a keystroke sequence that couldn't be intercepted by any application.

So the security architect for NT (Jim Kelly) went looking for a keystroke sequence he could use.

 

It turned out that the only keystroke combination that wasn't already being used by a shipping application was control-alt-del, because that was used to reboot the computer.

And thus was born the Control-Alt-Del to log in.

I've got to say that the first time that the logon dialog went into the system, I pressed it with a fair amount of trepidation - I'd been well trained that C-A-D rebooted the computer and....