[Fwd: Re: Non-repudiation (was RE: The PAIN mnemonic)]

Jerrold Leichter jerrold.leichter at smarts.com
Wed Jan 7 10:14:58 EST 2004

Now that we've trashed non-repudiation ... just how is it different from
authentication?  In both cases, there is a clear technical meaning (though as
with anything in mathematics, when you get right down to it, the details are
complex and may be important):  To produce an authenticator/non-repudiable
signature, you must have access to the secret.  There isn't, at this level,
even any difference between the requirements for the two.  Where we get into
trouble is in attempting to bind the real world to the mathematics.  In each
case, the receiver wants to be able to say:

     1.	I can rely on the fact that X sent me this data, because it came
	with a signature that could be calculated only by X.

What he *really* needs to say is:

     2.	I can rely on the fact that X sent me this data, because it came
	with a signature that could be calculated only by someone knowing X's

To go from 2 to 1, the receiver must also have:

     3.	I can rely on the fact that only X knows X's secret.

In ordinary English usage, there is little difference between "I've authenti-
cated this message as coming from X" and "X can't deny that he wrote this
message."  We've learned that "non-repudiation" is a concept with relatively
little use in the legal system.  However, authentication (of a signature,
document, whatever) is quite common (even if for the usual kinds of objects
that need authentication, there is generally little to discuss).  If the
ultimate question is whether, as a legal matter, X is bound by some writing
or whatever, authentication gets at the same basic question (which is only
part, usually a small part, of the relevant legal issues).

The problems that we've been discussion here are clear from 2 and 3:

	- "Rely on" is inherently outside of the cryptography or mathematics.
		It's only meaningful to the extent that there is some recourse
		(generally through agreements, but ultimately through the legal
		system) if you rely on something that turns out not be what
		you thought it was.

	- We identify "X" with an individual, but in fact "X" rarely knows
		the secret personally, and never does the actual calculations -
		some code running in some real physical machine does the work.

So in fact we can't even begin to get 3; at best, we have:

    3'. I can rely on the fact that, if X has shared his secret with Y (where
	Y is typically some equipment), then I can rely on X to be bound by
	whatever Y does.

This is now so bizarre and removed from ordinary notions that it should be
clear why it's unlikely be of much real-world use!

							-- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list