Comments: Non-repudiation, Evidence and TLS: another fine mess I've got you into :-(

> Back in the good old days when security people would sprout nonsense
> and nobody blinked,

Is this an intentional mixing of metaphors, using "sprout" instead of "spout"? It's quite an image! I've never seen it before (or at least never noticed it), but I see you're not the first--google reports 1090 hits for "sprout nonsense" (compared to 19600 for "spout nonsense", so that's more than 5%).

Posted by Ray at January 5, 2007 05:16 AM

LOL.... well, that would fall in the "unintentional" basket. Now that I think of it, spout would be correct, but as the usage is one of metaphors, maybe I can poetically claim licence that there is a peculiar Brussels sense of talking nonsense ???

At a meta-post level, the precise meaning of words is what it is all about, so corrections gladly accepted.

Posted by Iang at January 5, 2007 05:23 AM

old post where i pulled some sc27 definitions and added them
into my merged security taxonomy and glossary
http://www.garlic.com/~lynn/aadsm11.htm#14 Meaning of Non-repudiation

non-repudiation
non-repudiation exchange
non-repudiation information
non-repudiation of creation
non-repudiation of delivery
non-repudiation of knowledge
non-repudiation of origin
non-repudiation of receipt
non-repudiation of sending
non-repudiation of submission
non-repudiation of transport

non-repudiation shares same issues surrounding "human signature" ... where a "human" signature is indication that somebody is demonstrating *intent* and has read, understood, approves, aggrees, and/or authorizes something ... requiring some sort of indication that holds for each specific operation. "digital signature" carries NONE of those characteristics (other than the terms happen to share the
word "signature"). lots of past posts discussing "human signature" (and having been brought in to help word-smith the california and federal electronic signature legislation)
http://www.garlic.com/~lynn/subpubkey.html#signature

"non-repudiation" requires something similar ... and as such, many of the definitions have morphed into involving a service that provides some indication as to some specific occurance ... rather than trying to demonstrate non-repudiation of *intent*, demonstrate non-repudiation of some specific event or activity having occured.

a couple of (lengthy) past threads discussing "meaning" of non-repudiation:
http://www.garlic.com/~lynn/aepay7.htm#nonrep0 non-repudiation, was Re: crypto flaw in secure mail standards
http://www.garlic.com/~lynn/aepay7.htm#nonrep1 non-repudiation, was Re: crypto flaw in secure mail standards
http://www.garlic.com/~lynn/aepay7.htm#nonrep2 non-repudiation, was Re: crypto flaw in secure mail standards
http://www.garlic.com/~lynn/aepay7.htm#nonrep3 non-repudiation, was Re: crypto flaw in secure mail standards
http://www.garlic.com/~lynn/aepay7.htm#nonrep4 non-repudiation, was Re: crypto flaw in secure mail standards
http://www.garlic.com/~lynn/aepay7.htm#nonrep5 non-repudiation, was Re: crypto flaw in secure mail standards
http://www.garlic.com/~lynn/aepay7.htm#nonrep6 non-repudiation, was Re: crypto flaw in secure mail standards
http://www.garlic.com/~lynn/2001c.html#30 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#34 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#39 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#40 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#41 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#42 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#43 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#44 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#45 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#46 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#47 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#50 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#51 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#52 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#54 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#56 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#57 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#58 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#59 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#60 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#72 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001c.html#73 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/aadsm11.htm#5 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#6 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#7 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#8 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#9 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#11 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#12 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#13 Words, Books, and Key Usage
http://www.garlic.com/~lynn/aadsm11.htm#15 Meaning of Non-repudiation

Posted by Lynn Wheeler at January 5, 2007 10:42 AM

I don't agree that non-repudiation is a misnomer or chimera. I do agree that the weakest link is often an insecure signing device (e.g., a PC).

Its true that in its common usage signatures are evidence. If courts are deciding things then repudiations may indeed take place, sometimes even if they were with malice or fraudulent. Individuals or corporations may be forced to accede to unwinding prior commitments or transactions, sometimes with greatly damaging results. Not much you can do if courts are involved.

An obvious if partial solution is, for businesses that can, to effectively operate outside identifiable national jurisdictions. Contracts can be adjudicated by private justice systems (e.g., the Common Economic Protocols) that may be unwilling to preempt existing contractual arrangements (especially, digital/electronic contracts, a 'la ) to satisfy statist or social goals. In that case caviat emptor to signers.

Posted by Nostradumbass at January 9, 2007 03:24 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x5650921d6188) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.