In my work on secure e-commerce, I use (technical, crypto) definitions of non-repudiation, and consider these as critical to many secure e-commerce problems/scenarios/requirements/protocols. Having spent considerable time and effort on appropriate definitions and analysis (proofs), I was/am a bit puzzled and alarmed to find that others in our community seem so vehemently against non-repudiation.
Of course, like other technical terms, there can be many variant definitions; that is not really a problem (the community will gradually focus on few important and distinct variants). Also it's an unavoidable fact of life (imho) that other communities (e.g. legal) use the same term in somewhat different meaning.
So my question is only to people like Ben and Carl who have expressed, if I understood correctly, objection to any form of technical, crypto definition of non-repudiation. I repeat: do you really object and if so why? What of applications/scenarios that seem to require non-repudiation, e.g. certified mail, payments, contract signing,...?
Amir Herzberg Computer Science Department, Bar Ilan University Lectures: http://www.cs.biu.ac.il/~herzbea/book.html Homepage: http://amir.herzberg.name
Enclosed: At 21:33 23/12/2003, Ian Grigg wrote:
Amir Herzberg wrote: > > Ben, Carl and others, > > At 18:23 21/12/2003, Carl Ellison wrote: > > > > >and it included non-repudiation which is an unachievable, > > > nonsense concept. > > Any alternative definition or concept to cover what protocol designers > usually refer to as non-repudiation specifications? For example > non-repudiation of origin, i.e. the ability of recipient to convince a > third party that a message was sent (to him) by a particular sender (at > certain time)? > > Or - do you think this is not an important requirement? > Or what?
I would second this call for some definition!
FWIW, I understand there are two meanings:
some form of legal inability to deny responsibility for an event, and
cryptographically strong and repeatable evidence that a certain piece of data was in the presence of a private key at some point.
Carl and Ben have rubbished "non-repudiation" without defining what they mean, making it rather difficult to respond.
Now, presumably, they mean the first, in that it is a rather hard problem to take the cryptographic property of public keys and then bootstrap that into some form of property that reliably stands in court.
But, whilst challenging, it is possible to achieve legal non-repudiability, depending on your careful use of assumptions. Whether that is a sensible thing or a nice depends on the circumstances ... (e.g., the game that banks play with pin codes).
So, as a point of clarification, are we saying that "non-repudiability" is ONLY the first of the above meanings? And if so, what do we call the second? Or, what is the definition here?
From where I sit, it is better to term these as "legal non-repudiability" or "cryptographic non-repudiability" so as to reduce confusion.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]