“third party verifiability” would be good. In the current text, I do not
understand what the four "data origination"/"weak data origination" sentences
want to say except “third party verifiability” "and data authentication".
"Message Authentication Codes (MACs) provide data authentication and
integrity protection. They provide either no or very limited data
origination. A MAC, for example, cannot be used to prove the
identity of the sender to a third party."
"They provide
integrity on the data that was encrypted; however, they provide
either no or very limited data origination. (One cannot, for
example, be used to prove the identity of the sender to a third
party.) The ability to provide data origination is linked to how the
CEK is obtained."
"The use of key wrap loses the
weak data origination that is provided by the direct encryption
algorithms."
"The use of static keys allows for the
recipient to get a weak version of data origination for the
message."
/John
-----Original Message-----
From: Jim Schaad <[email protected]>
Date: Friday, 22 November 2019 at 02:29
To: 'Carsten Bormann' <[email protected]>, John Mattsson <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: RE: [COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and
draft-ietf-cose-rfc8152bis-algs-06
-----Original Message-----
From: COSE <[email protected]> On Behalf Of Carsten Bormann
Sent: Friday, November 22, 2019 6:40 AM
To: John Mattsson <[email protected]>
Cc: [email protected]
Subject: Re: [COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and
draft-ietf-cose-rfc8152bis-algs-06
On Nov 22, 2019, at 06:27, John Mattsson
<[email protected]> wrote:
>
> Could we replace "data origination" with "non-repudiation"?
Preferably not.
[JLS] No really, really not.
If you want the thing that often is identified incorrectly by the latter,
please use a more precise term such as “third party verifiability”.
Non-repudation is a legal term.
[JLS] Non-repudiation is not a legal term. Repudiation is a legal term.
There is no such thing as non-repudiation, just a legal argument that you can
or cannot repudiate something. I repudiate this signature because Carsten was
holding a gun to my head when I made it. That is a repudiate argument and not
the reverse. Non-repudiation originally had some really weird ideas around
having a technological way of proving things like: It was proven that the key
was in my possession. It was proven that only I could have made the signature.
I knew what I was signing a the time. That is things that cannot be shown.
Jim
Provenance is often a term used for the former.
BTW, the text might be easier to read when constructs such as “bistro”,
oops, “bstr”, are replaced by “byte string” outside of the CDDL (where byte
strings are indeed called “buster”, oops, “bstr”, or also simply “bytes”). In
the previous sentence, for demonstration, I left in the autocorrects as they
actually happened :-)
Grüße, Carsten
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
