Non-repudiation (was RE: The PAIN mnemonic)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Dec 28 22:19:57 EST 2003 

"Carl Ellison" <cme at acm.org> writes:

>>Ah. That's why they're trying to rename the corresponding keyUsage bit
>>to "contentCommitment" then:
>
>Maybe, but that page defines it as:
>
>contentCommitment: for verifying digital signatures which are intended to
>signal that the signer is committing to the content being signed. The
>precise level of commitment, e.g. "with the intent to be bound" may be
>signaled by additional methods, e.g. certificate policy.

This refers to the second (and IMHO more sensible) use of the X.509
nonRepudiation bit, which uses digitalSignature for short-term signing (e.g.
user authentication) and nonRepudiation for long-term signing (e.g. signing
a document).  The other definition uses digitalSignature for everything,
and nonRepudiation as an additional service on top of digitalSignature.  The
problem with that definition is that no two people in the X.509 world can
agree on what nonRepudiation actually signifies.  The best suggestion I've
seen for the nonRepudiation bit is that CAs should set it to random values
to disabuse users of the notion that it has any meaning.  For the
"additional-service" definition of nonRepudiation, the X.509 Style Guide 
says:

  Although everyone has their own interpretation, a good practical definition 
  is "Nonrepudiation is anything which fails to go away when you stop 
  believing in it".  Put another way, if you can convince a user that it isn't 
  worth trying to repudiate a signature then you have nonrepudiation.  This 
  can take the form of having them sign a legal agreement saying they won't 
  try to repudiate any of their signatures, giving them a smart card and 
  convincing them that it's so secure that any attempt to repudiate a 
  signature generated with it would be futile, threatening to kill their kids, 
  or any other method which has the desired effect.  One advantage (for 
  vendors) is that you can advertise just about anything as providing 
  nonrepudiation, since there's sure to be some definition which matches 
  whatever it is you're doing (there are "nonrepudiation" schemes in use today 
  which employ a MAC using a secret shared between the signer and the verifier, 
  which must be relying on a particularly creative definition of 
  nonrepudiation).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list