Non-repudiation (was RE: The PAIN mnemonic)

Amir Herzberg amir at herzberg.name
Wed Dec 24 05:27:11 EST 2003 

Ian proposes below two draft-definitions for non-repudiation - legal and 
technical. Lynn also sent us a bunch of definitions. Let's focus on the 
technical/crypto one for now - after all this is a crypto forum (I agree 
the legal one is also somewhat relevant to this forum).

In my work on secure e-commerce, I use (technical, crypto) definitions of 
non-repudiation, and consider these as critical to many secure e-commerce 
problems/scenarios/requirements/protocols. Having spent considerable time 
and effort on appropriate definitions and analysis (proofs), I was/am a bit 
puzzled and alarmed to find that others in our community seem so vehemently 
against non-repudiation.

Of course, like other technical terms, there can be many variant 
definitions; that is not really a problem (the community will gradually 
focus on few important and distinct variants). Also it's an unavoidable 
fact of life (imho) that other communities (e.g. legal) use the same term 
in somewhat different meaning.

So my question is only to people like Ben and Carl who have expressed, if I 
understood correctly, objection to any form of technical, crypto definition 
of non-repudiation. I repeat: do you really object and if so why? What of 
applications/scenarios that seem to require non-repudiation, e.g. certified 
mail, payments, contract signing,...?


Best regards,

Amir Herzberg
Computer Science Department, Bar Ilan University
Lectures: http://www.cs.biu.ac.il/~herzbea/book.html
Homepage: http://amir.herzberg.name

Enclosed: At 21:33 23/12/2003, Ian Grigg wrote:
>Amir Herzberg wrote:
> >
> > Ben, Carl and others,
> >
> > At 18:23 21/12/2003, Carl Ellison wrote:
> >
> > > > >and it included non-repudiation which is an unachievable,
> > > > nonsense concept.
> >
> > Any alternative definition or concept to cover what protocol designers
> > usually refer to as non-repudiation specifications? For example
> > non-repudiation of origin, i.e. the ability of recipient to convince a
> > third party that a message was sent (to him) by a particular sender (at
> > certain time)?
> >
> > Or - do you think this is not an important requirement?
> > Or what?
>
>
>I would second this call for some definition!
>
>FWIW, I understand there are two meanings:
>
>    some form of legal inability to deny
>    responsibility for an event, and
>
>    cryptographically strong and repeatable
>    evidence that a certain piece of data
>    was in the presence of a private key at
>    some point.
>
>Carl and Ben have rubbished "non-repudiation"
>without defining what they mean, making it
>rather difficult to respond.
>
>Now, presumably, they mean the first, in
>that it is a rather hard problem to take the
>cryptographic property of public keys and
>then bootstrap that into some form of property
>that reliably stands in court.
>
>But, whilst challenging, it is possible to
>achieve legal non-repudiability, depending
>on your careful use of assumptions.  Whether
>that is a sensible thing or a nice depends
>on the circumstances ... (e.g., the game that
>banks play with pin codes).
>
>So, as a point of clarification, are we saying
>that "non-repudiability" is ONLY the first of
>the above meanings?  And if so, what do we call
>the second?  Or, what is the definition here?
>
> From where I sit, it is better to term these
>as "legal non-repudiability" or "cryptographic
>non-repudiability" so as to reduce confusion.
>
>iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list