my objection is to the word "sender" which, in definitions I've
read, refers to the human being associated with a particular key.  As long
as we refer to a private key with no implication that this in any way incurs
liability for a human being, then I'm happy -- but e-commerce folks are not.

        It is important to be able to authenticate a message origin and
verify its integrity - the things that a dsig or MAC give you.  When you use
a public-key dsig, you have the added security advantage that the key
capable of forming that signature does not need to be used to verify it.
This is the original technical meaning of the term we're struggling over.
However, in Diffie and Hellman's original paper, (which referred to this as
"undeniable", if I remember correctly), the confusion had already set in.  A
key would never deny or repudiate anything. That's an action by a human
being.  However, the use of public key cryptography does not imply anything
about the human being to whom that key pair was assigned.

        So, I would use the terms "authentication" and "integrity
verification" and avoid the term "non-repudiation", since that one refers to
human behavior and invokes liability on human beings.  Since we have no idea
how to make computer systems that capture proof of a human being's behavior
and intentions, we can not claim to have any evidence that could be
presented in court to show that a particular human being made a particular
commitment, just based on some digital signature.  We can prove that a given
private key (to wit, the one private key corresponding to a public key that
is entered into evidence) formed a signature over some message or file.
However, any attempt to infer more than that is fallacious.

        If you want to use cryptography for e-commerce, then IMHO you need a
contract signed on paper, enforced by normal contract law, in which one
party lists the hash of his public key (or the whole public key) and says
that s/he accepts liability for any digitally signed statement that can be
verified with that public key.

        Any attempt to just assume that someone's acceptance of a PK
certificate amounts to that contract is extremely dangerous, and might even
be seen as an attempt to victimize a whole class of consumers.

 - Carl

|Carl M. Ellison         [EMAIL PROTECTED] |
|    PGP: 75C5 1814 C3E3 AAA7 3F31  47B9 73F1 7E3C 96E7 2B71       |
+---Officer, arrest that man. He's whistling a copyrighted song.---+ 

> -----Original Message-----
> [mailto:[EMAIL PROTECTED] On Behalf Of Amir Herzberg
> Sent: Tuesday, December 23, 2003 1:18 AM
> Subject: Re: Non-repudiation (was RE: The PAIN mnemonic)
> Ben, Carl and others,
> At 18:23 21/12/2003, Carl Ellison wrote:
> > > >and it included non-repudiation which is an unachievable,
> > > nonsense concept.
> Any alternative definition or concept to cover what protocol 
> designers 
> usually refer to as non-repudiation specifications? For example 
> non-repudiation of origin, i.e. the ability of recipient to 
> convince a 
> third party that a message was sent (to him) by a particular 
> sender (at 
> certain time)?
> Or - do you think this is not an important requirement?
> Or what?
> Best regards,
> Amir Herzberg
> Computer Science Department, Bar Ilan University
> Lectures:
> Homepage:
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to 

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to