crypto flaw in secure mail standards

Mon Jun 25 10:48:50 EDT 2001

    The digital signature laws I've seen don't mention and don't support
    the notion of "non-repudiation", which seems to be an obsession
    among computer security people and a non-issue among legal
    people. The idea that something is "non-repudiable" or unarguable or
    unavoidable is nonsense. I use it as a clue detector - if someone
    talks about non-repudiation, they don't know much about US contract
    law.

My clue is just fine, but thanks for your concern.  Last time I checked
my favorite desktop dictionary to repudiate meant to reject as
unauthorized, you know, not a party to the contract.  Non-repudiation
would mean I can't reject it as unauthorized, you know, that I can not
say I am not party to the contract.  Would you please explain to me how
whether or not I am in fact an actual party to the contract has nothing
to do with US contract law?

Non-repudiation is not a legal concept in and of itself (and I never
said it was), but it is important to any lawyer who has to deal with any
dispute involving electronic information (which is what I meant although
perhaps not as well stated before).  It is a security service that is
important if not essential to electronic transactions that are
vulnerable to legal disputes (perhaps more so in the US than anywhere
else, but hey I'm not a lawyer so don't ask me).  It would also be fair
to say it is more important today than it was 12 years ago, when PEM was
first getting popular (for as popular as it got).  For that reason, Don
can call it a "flaw" if he wants to, but I prefer to think of it as the
"next bite" of the secure email problem which we could reasonably do
something about; it's certainly not a hard problem technically or a huge
oversight that got no attention at the time.

Jim

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com