Non-repudiation (was RE: The PAIN mnemonic)
Ben Laurie
ben at algroup.co.uk
Mon Dec 29 10:59:53 EST 2003
Carl Ellison wrote:
> If you want to use cryptography for e-commerce, then IMHO you need a
> contract signed on paper, enforced by normal contract law, in which one
> party lists the hash of his public key (or the whole public key) and says
> that s/he accepts liability for any digitally signed statement that can be
> verified with that public key.
One of the things my paper discusses is that under UK law a signature on
an email is just as binding as on paper, because contracts are all about
intent to be bound and not the medium in which they are captured. Of
course, if you want to repudiate an email it is probably easier,
especially if you signed it by typing your name at the bottom (yes, this
is a valid signature under UK law), but that's a judgement call on the
part of the relying party.
> Any attempt to just assume that someone's acceptance of a PK
> certificate amounts to that contract is extremely dangerous, and might even
> be seen as an attempt to victimize a whole class of consumers.
Agreed - as I say, its all about intent and reliance. Nothing is automatic.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list