Non-repudiation (was RE: The PAIN mnemonic)
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Dec 28 22:19:57 EST 2003
"Carl Ellison" <cme at acm.org> writes:
>>Ah. That's why they're trying to rename the corresponding keyUsage bit
>>to "contentCommitment" then:
>
>Maybe, but that page defines it as:
>
>contentCommitment: for verifying digital signatures which are intended to
>signal that the signer is committing to the content being signed. The
>precise level of commitment, e.g. "with the intent to be bound" may be
>signaled by additional methods, e.g. certificate policy.
This refers to the second (and IMHO more sensible) use of the X.509
nonRepudiation bit, which uses digitalSignature for short-term signing (e.g.
user authentication) and nonRepudiation for long-term signing (e.g. signing
a document). The other definition uses digitalSignature for everything,
and nonRepudiation as an additional service on top of digitalSignature. The
problem with that definition is that no two people in the X.509 world can
agree on what nonRepudiation actually signifies. The best suggestion I've
seen for the nonRepudiation bit is that CAs should set it to random values
to disabuse users of the notion that it has any meaning. For the
"additional-service" definition of nonRepudiation, the X.509 Style Guide
says:
Although everyone has their own interpretation, a good practical definition
is "Nonrepudiation is anything which fails to go away when you stop
believing in it". Put another way, if you can convince a user that it isn't
worth trying to repudiate a signature then you have nonrepudiation. This
can take the form of having them sign a legal agreement saying they won't
try to repudiate any of their signatures, giving them a smart card and
convincing them that it's so secure that any attempt to repudiate a
signature generated with it would be futile, threatening to kill their kids,
or any other method which has the desired effect. One advantage (for
vendors) is that you can advertise just about anything as providing
nonrepudiation, since there's sure to be some definition which matches
whatever it is you're doing (there are "nonrepudiation" schemes in use today
which employ a MAC using a secret shared between the signer and the verifier,
which must be relying on a particularly creative definition of
nonrepudiation).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list