Nonrepudiation - in some sense

[Ben Laurie]

leichter_jerrold at emc.com wrote:
>>From a description of the Imperva "SecureSphere" technology.  Imperva makes 
> firewalls that can "look inside" SSL sessions:
> 
>  	SSL Security that Maintains Non-Repudiation
> 
>  	SecureSphere can inspect the contents of both HTTP and HTTPS
>  	(SSL) traffic.  SecureSphere delivers higher HTTPS performance
>  	than competing reverse proxy point solutions because
>  	SecureSphere decrypts SSL encrypted traffic but does not
>  	terminate it. Therefore SecureSphere simply passes the encrypted
>  	packets unchanged to the application or database server. This
>  	eliminates the overhead of re-packaging (i.e. changing) the
>  	communications, re-negotiating a new SSL connection to the
>  	server, and re-encrypting the information. Moreover, it
>  	maintains the non-repudiation of transactions since the
>  	encrypted communication is between client and application with
>  	no proxy acting as middleman.

Firstly, even if you believe that _any_ crypto provides non-repudiation
(see http://www.apache-ssl.org/tech-legal.pdf for a paper I co-authored
on this and other stuff - executive summary: I don't believe it), you
can't "maintain" the non-repudation of SSL because it doesn't provide
non-repudation.

Secondly, obviously, you can only decrypt SSL if you have the private
key, so presumably this is referring only to incoming SSL connections.

Cheers,

Ben.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com