> Originally, public key systems were said to possess deliver this property of
> 'nonrepudiation', meaning a digital signature could effectively authenticate
> the intent of the party associated with the private key. However, today such
> a large percentage of endpoint systems (on which the private keys are held)
> are infected with info-stealing malware that most everyone has plausible
> deniability about what is signed with their private keys. (Exceptions being
> perhaps hardware systems that have not been hacked yet and "trust" vendors
> whose organizations are specifically built on their expertise at handling
> private keys.)
>
> So current revocation schemes attempt to preserve nonrepudiation in an
> attempt to make digital signatures more like binding ink signatures on a
> contract.
>
> But automated systems checking for signatures are usually authenticating
> server certs or validating signed code for execution. In these cases, we
> definitely need the party who has been compromised to be able to repudiate
> the evil things that have been been signed by their private key.
>
> So it seems to me that PKI systems were designed with some sort of
> leagalistic contract-binding model in mind, when in turns out in practice
> that security (even of ecommerce transactions) depends more on an efficient
> repudiation mechanism than the prevention of it!
Marsh, you've hit on a few good points.
The main one is that one of the original purposes of digital signatures is to
make it possible to sign a contract between parties that are not physically
present. That actually works quite well. But there's been mission creep into
absurdity and that happened nearly immediately in the development of digital
signatures.
Nonreputiation is one of these. I think that the very idea of nonrepudiation
goes back to Leibniz, who thought we could get rid of judges and solve disputes
with, "Gentlemen, let us calculate!" That isn't going to happen, and we only
have to wave towards Messrs. Russell, Whitehead, Goedel, and Turing (Hi, guys!)
and move on.
Nonrepudiation is a somewhat daft belief. Let me give a gedankenexperiment.
Suppose Alice phones up Bob and says, "Hey, Bob, I just noticed that you have a
digital nature from me. Well, ummm, I didn't do it. I have no idea how that
could have happened, but it wasn't me." Nonrepudiation is the belief that the
probability that Alice is telling the truth is less than 2^{-128}, assuming a
3K RSA key or 256-bit ECDSA key either with SHA-256. Moreover, if that
signature was made with an ECDSA-521 bit key and SHA-512, then the probability
she's telling the truth goes down to 2^{-256}.
I don't know about you, but I think that the chance that Alice was hacked is
greater than 1 in 2^128. In fact, I'm willing to believe that the probability
that somehow space aliens, or Alice has an unknown evil twin, or some mad
scientist has invented a cloning ray is greater than one in 2^128. Ironically,
as the key size goes up, then Alice gets even better excuses. If we used a
1k-bit ECDSA key and a 1024-bit hash, then new reasonable excuses for Alice
suggest themselves, like that perhaps she *considered* signing but didn't in
this universe, but in a nearby universe (under the many-worlds interpretation
of quantum mechanics, which all the cool kids believe in this week) she did,
and that signature from a nearby universe somehow leaked over.
This absurd-excuse paradox means that if you *really* believe in
non-repudiation, you need not only to avoid keys that are too small, but too
large.
Now, in the real world, Alice might repudiate the signature, but pay Bob
anyway. Or Bob might just accept Alice's excuse because there are reasonable
chances something odd happened (like Alice got hacked). Or Bob might take Alice
to court, where a judge or jury would access a constellation of things
including the reasonableness of the contract, Alice and Bob's individual
reputations, and also some defaults (a five-dollar charge might be presumed to
be disputable, and a million-dollar property purchase assumed to not be
disputable).
We got to this problem through some reasonable and unreasonable natural human
things. We inherently distrust new technologies. There was a time when you
couldn't fax a legal document. Then we got used to it. Today, most places will
accept an emailed PDF of a scan of a document, but not all. There are a few
amusing situations where you take a scan, print it, then fax the paper and it's
a legal document, but not that PDF itself, either digitally signed or not.
Nonrepudiation is really an argument that this math combined with some rituals
make bits as good as a fax.
Intent is another good point. Contract law and practice has intent wired
through it all over the place. Trust is also a huge can of worms, as well as
possibly not even being definable.
If we step back, though, this is similar to the code-signing discussion in that
there's *mechanism* of PKI and *policy* of PKI. Not only do we conflate the
two, but we have a tendency to criticize mechanism because of policy, and vice
versa.
That conflation of mechanism and policy is a huge problem, and made worse by
those who want to make it a bigger problem, by wanting to encode policy into
mechanism. Yeah, yeah, they can never be completely separate, but admitting
they aren't the same thing would be a great start.
Jon
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
