Non-repudiation (was RE: The PAIN mnemonic)

[Ian Grigg]

Amir Herzberg wrote:
> 
> Ben, Carl and others,
> 
> At 18:23 21/12/2003, Carl Ellison wrote:
> 
> > > >and it included non-repudiation which is an unachievable,
> > > nonsense concept.
> 
> Any alternative definition or concept to cover what protocol designers
> usually refer to as non-repudiation specifications? For example
> non-repudiation of origin, i.e. the ability of recipient to convince a
> third party that a message was sent (to him) by a particular sender (at
> certain time)?
> 
> Or - do you think this is not an important requirement?
> Or what?


I would second this call for some definition!

FWIW, I understand there are two meanings:

   some form of legal inability to deny
   responsibility for an event, and

   cryptographically strong and repeatable
   evidence that a certain piece of data
   was in the presence of a private key at
   some point.

Carl and Ben have rubbished "non-repudiation"
without defining what they mean, making it
rather difficult to respond.

Now, presumably, they mean the first, in
that it is a rather hard problem to take the
cryptographic property of public keys and
then bootstrap that into some form of property
that reliably stands in court.

But, whilst challenging, it is possible to
achieve legal non-repudiability, depending
on your careful use of assumptions.  Whether
that is a sensible thing or a nice depends
on the circumstances ... (e.g., the game that
banks play with pin codes).

So, as a point of clarification, are we saying
that "non-repudiability" is ONLY the first of
the above meanings?  And if so, what do we call
the second?  Or, what is the definition here?

>From where I sit, it is better to term these
as "legal non-repudiability" or "cryptographic
non-repudiability" so as to reduce confusion.

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com