[Fwd: Re: Non-repudiation (was RE: The PAIN mnemonic)]

John Lowry jlowry at bbn.com
Thu Jan 8 12:15:05 EST 2004 

Non-repudiation is really very simple in concept.

"The ability to prove to a third party that you (or someone else) was party
to a transaction".

There are a lot of problems regarding who the third party must be, what
constitutes "proof", etc., etc.

In the English common-law system, this is applied in various ways and times.
It all comes down to concepts of "reasonableness", "intent", "care" and so
on.

Can you say "convince the judge or jury of your peers" ?

The same is true for authentication.

John



On 1/7/04 15:06, "Anton Stiglic" <astiglic at okiok.com> wrote:

> 
> ----- Original Message -----
> From: "Jerrold Leichter" <jerrold.leichter at smarts.com>
> Cc: "Cryptography" <cryptography at metzdowd.com>
> Sent: Wednesday, January 07, 2004 7:14 AM
> Subject: Re: [Fwd: Re: Non-repudiation (was RE: The PAIN mnemonic)]
> 
> 
>> Now that we've trashed non-repudiation ... just how is it different from
>> authentication?
> 
> I don't think the word "authentication" has the same problem as
> "non-repudiation",
> but you do need to be careful how you define it.
> 
> So here we are talking about entity authentication (as opposed to data
> authentication,
> the latter really has a unambiguous definition, at least I hope it does!).
> 
> The way you should define entity authentication
> is by stating that it is a process of verifying that an entity possesses the
> authentication
> credentials associated to a user that entity claims to be.  This entity
> might be the rightful
> user, or it might be someone who stole the credentials from the rightful
> user.   If someone
> stole my ATM card and my PIN, he/she can successfully authenticate
> him/herself to an
> ATM and withdraw money.  The word "authenticate" is appropriate in this last
> phrase.
> 
> But I see that most definitions that have been collected here:
> http://www.garlic.com/~lynn/secgloss.htm#t523
> are not careful about this.
> 
> The thing about non-repudiation is that it is something that even most laws
> do not
> permit.  See for example:
> http://www.firstmonday.dk/issues/issue5_8/mccullagh/
> 
> Non-repudiation applied to digital signatures implies that the definition
> states that
> only one person possibly had possession of the private signing key and was
> conscious
> about the fact that it was used to sign something.
> 
> In most jurisdictions a person has the right to repudiate a signature
> (had-written
> or electronic), and thus non-repudiation does not work.  People have the
> right to
> repudiate signatures since it might be the result of a forgery, fraud, the
> signer might have
> been drunk or something at the time of signing or forced to sign (like with
> a gun to his
> head).    Repudiation is possible but non-repudiation is not.
> 
> I know some people who use the term "accountability" instead of
> "non-repudiation"
> to express the property needed in certain systems (commercial
> infrastructures where
> users login and need to be accountable for their acts).  This seems like a
> better term
> to be used in certain contexts, but I'm still thinking about it...
> 
> --Anton
> 
> 
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list