Maurice klein Gebbinck wrote:
>
> Hi all,
>
> This weekend I read the SSL spec and I am wondering about the following.
> Suppose I am a the owner of an e-shop and I have a secure webserver. In
> order to make sure that all product orders I get are for real, I require
> that clients present a valid certificate during the SSL handshake.
> However, since after the handshake SSL switches to an encryption method
> based on symmetric keys (right?), it makes no sense to store the
> encrypted order of a client in a database, because the client can always
> argue that I made up the encrypted order myself (which I can since I
> know the symmetric key). The only thing the client cannot deny is that
> he has made a secure connection with my webserver, but apart from that
> nothing can be proven.
>
> Is this right, and if yes, is there a way within SSL (openssl) to
> provide non-repudiation?
It sounds right to me, and certainly SSL was not intended to provide
non-repudiation as a service. I'd say, therefore, that if you want
non-repudiation, you'd need to add it on top of SSL.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
