Re: Property RIghts in Keys
In responding to what Steven M. Bellovin wrote about GeoTrust, I mentioned the low UK copyright law requirement for creativity. As a postscript to that observation, I draw attention to s9(3) of the UK Copyright, Designs and Patents Act 1988: (3) In the case of a literary, dramatic, musical or artistic work which is computer-generated, the author shall be taken to be the person by whom the arrangements necessary for the creation of the work are undertaken. And s178 provides the definition: computer-generated, in relation to a work, means that the work is generated by computer in circumstances such that there is no human author of the work. These provisions seem to me to work quite aptly to encompass a key-pair. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Property RIghts in Keys
Steven M. Bellovin wrote: I was reading a CPS from GeoTrust -- 91 pages of legalese! -- and came across the following statement: Without limiting the generality of the foregoing, GeoTrust's root public keys and the root Certificates containing them, including all self-signed certificates, are the property of GeoTrust. GeoTrust licenses software and hardware manufacturers to reproduce such root Certificates to place copies in trustworthy hardware devices or software. Under what legal theory might a certificate -- or a key! -- be considered property? There wouldn't seem to be enough creativity in a certificate, let alone a key, to qualify for copyright protection. A private key is obviously meant to be kept secret, and commercial secrets are commonly protected as trade secrets (US terminology) or as benefiting from the law about confidentiality (UK terminology). The right to have the secret kept is capable of being seen as a form of intangible property (though whether it is useful to call it intellectual seems to be contentious to some). Forms of certificate seem to be fairly standard, and not many CAs would have much chance of proving that they originated and owned the form they use. Creativity requirements vary quite widely between legal systems. The UK requirement is not high: originality requires primarily that the work originated from the author, not that it required artistic input. A cryptographic key should certainly satisfy that requirement. Copyright seems to be what GeoTrust has in mind in licensing reproduction of the certificates. I won't even comment on the rest of the CPS, not even such gems as Subscribers warrant that ... their private key is protected and that no unauthorized person has ever had access to the Subscriber's private key. And just how can I tell that? A nice example of how lawyers can effectively undermine their CA clients' claims to be adding value. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Certificates turn 30, X.509 turns 20, no-one notices
Peter Gutmann wrote: This doesn't seem to have garnered much attention, but this year marks two milestones in PKI: Loren Kohnfelder's thesis was published 30 years ago, and X.509v1 was published 20 years ago. As a sign of PKI's successful penetration of the marketplace, the premier get- together for PKI folks, the IDtrust Symposium (formerly the PKI Workshop and now in its eighth year) authenticates participants with... username and password, for lack of a working PKI. (OK, it's a bit of a cheap shot and it's been done before, but I thought it was especially significant this year :-). I've never been quite sure whether Public qualifies Key or Infrastructure - this may make a difference to what you count as a PKI. SWIFT (interbank messaging), BOLERO (bills of lading) and CREST (dealing in dematerialised stocks and shares) all use public key cryptography, I believe, and have all been reasonably successful; but they are all closed systems where each of the participants believes that it and the others can stand the risk of contractually-imposed non-repudiation rules (or they used to believe it, anyway). But what these examples illustrate, by the lack of open comparables, is the very limited utility of the technology. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quiet in the list...
Sidney Markowitz wrote: IanG wrote, On 7/9/08 2:06 AM: Then, when a new Thunderbird comes out, you load that up and the other packages cease to work As far as I recall, the last time Thunderbird had an upgrade it told me that one was available, I clicked to upgrade, and the addons, including Enigmail, continue to work. When there was an upgrade available to Enigmail, same thing. And the upgrade to GNUgpg also installed cleanly with no reconfiguration necessary. It has all been as transparent as can be. ... My experience was the same, although I needed some initial help with GPG. Since then, updates have been trouble-free. My only problem with the security model is that Thunderbird/Enigmail stores encrypted messages in encrypted form, and there is no option to store the plaintext. This use of a communications key for stored data is potentially a nuisance - a key corruption or other compromise, or just a wish to delete an old key for forward security, would cause much trouble. (I keep my mail in an encrypted container anyway, so don't need this feature.) This apart, the system runs with remarkable simplicity. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OK, shall we savage another security solution?
Leichter, Jerry wrote: ... If you think about this in general terms, we're at the point where we can avoid having to trust the CPU, memory, disks, programs, OS, etc., in the borrowed box, except to the degree that they give us access to the screen and keyboard. (The problem of securing connections that go through a hostile intermediary we know how to solve.) The keyboard problem is intractable, though it would certainly be a step forward if at least security information didn't go through there. This could be done either by having a small data entry mechanism on the secure device itself, or by using some kind of challenge/response (an LCD on the device supplies a random value - not readable in any way by the connected machine - that you combine with your password before typing it in.) Maybe HDMI will actually have some use in providing a secure path to the screen? (Unlikely, unfortunately.) Would it not be possible to solve the keyboard problem by allowing a keyboard (e.g. USB) to be plugged directly into the device? Nicholas -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The bank fraud blame game
Perry E. Metzger wrote: Adam Shostack [EMAIL PROTECTED] writes: On Mon, Jul 02, 2007 at 01:08:12AM +1200, Peter Gutmann wrote: Given that all you need for this is a glorified pocket calculator, you could (in large enough quantities) probably get it made for $10, provided you shot anyone who tried to introduce product-deployment DoS mechanisms like smart cards and EMV into the picture. Now all we need to do is figure out how to get there from here. I'd suggest starting from the deployment, training, and help desk costs. The technology is free, getting users to use it is not. I helped several banks look at this stuff in the late 90s, when cost of a smartcard reader was order ~25, and deployment costs were estimated at $100, and help desk at $50/user/year. Of course, given the magnitude of costs of fraud, and where it may be heading in the near term, the $50 a year may be well spent, especially if it could be cut to $25 with some UI investment. It is all a question of whether you'd rather pay up front with the security apparatus or after the fact in fraud costs... That is why efforts by banks to shift the risk to the customer are pernicious - they distort the incentive the bank ought to have to get the security right. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
Stefan Kelm wrote: Nicholas, .. There's another EU Diretive on simplifying, modernising and harmonising the conditions laid down for invoicing in respect of value added tax. Invoices sent by electronic means shall be accepted by Member States provided that the authenticity of the origin and integrity of the contents are guaranteed: - by means of an advanced electronic signature within the meaning of Article 2(2) of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures; Member States may however ask for the advanced electronic signature to be based on a qualified certificate and created by a secure-signature- creation device, within the meaning of Article 2(6) and (10) of the aforementioned Directive; That's the one I was talking about earlier. eInvoicing slowly seems to take off in a few european countries. I have no idea as to how this Directive has been transposed into UK law, though. I too do not know how the UK has dealt with implementation - the Directive seems to require Member States to accept electronic invoices under the prescribed conditions, but does not prevent them from accepting electronic invoices even without such conditions. My impression, from practical experience of advice given by the UK VAT authorities, is that electronic invoicing in the UK does not require any special guarantees of authenticity or integrity. Nicholas -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
Stefan Kelm wrote: Same with digital timestamping. Here in Europe, e-invoicing very slowly seems to be becoming a (or should I say the?) long-awaited application for (qualified) electronic signatures. Since electronic invoices need to be archived in most countries some vendors apply time-stamps and recommend to re-apply time-stamps from time to time. When I was in business in the UK (until last year) (as a VAT-registered individual) I issued electronic invoices when convenient to my clients. I found no general requirement for any signature, let alone a qualified electronic one; I had a professional obligation to sign invoices, which I met by the inclusion of a graphic of a handwritten signature. Invoices were dated and copies kept, but there was no requirement for time-stamping or any particular evidence of date of delivery. I received and continue to receive electronic invoices from time to time, but none appear to be digitally signed, nor have I seen evidence of time-stamping in operation. Nicholas -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?
Steven M. Bellovin wrote: ... Legal access is a special case -- what is the law (and practice) in any given country on forced access to keys? If memory serves, Mike Godwin -- a lawyer who strongly supports crypto, etc. -- has opined that under US law, a subpoena for keys would probably be upheld by the courts. I believe that British law explicitly mandates key disclosure. And of course, there's always rubber hose cryptanalysis in jurisdictions where that's acceptable. In the UK Part III of the Regulation of Investigatory Powers Act 2000 - see http://www.opsi.gov.uk/Acts/acts2000/2023.htm - includes powers for certain classes of officials to require encrypted materials to be decrypted or to require a key to be provided. There are some safeguards, regarded by some as insufficient. The powers have not yet been brought into force, but the Government intends to bring them into force in the near future. The powers are of course wholly ineffectual where perfect forward secrecy obtains, are of limited value in relation to ephemeral encrypted communications where keys are (or may plausibly be claimed to be) changed frequently or lost, but may be of some real value in relation to encrypted storage media where key preservation, with or without key recovery mechanisms, will obviously be important to most users. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
John Kelsey wrote: From: Anne Lynn Wheeler [EMAIL PROTECTED] Sent: Jul 11, 2006 6:45 PM Subject: Re: Interesting bit of a quote .. my slightly different perspective is that audits in the past have somewhat been looking for inconsistencies from independent sources. this worked in the days of paper books from multiple different corporate sources. my claim with the current reliance on IT technology ... that the audited information can be all generated from a single IT source ... invalidating any assumptions about audits being able to look for inconsistencies from independent sources. A reasonable intelligent hacker could make sure that all the information was consistent. It's interesting to me that this same kind of issue comes up in voting security, where computerized counting of hand-marked paper ballots (or punched cards) has been and is being replaced with much more user-friendly DREs, where paper poll books are being replaced with electronic ones, etc. It's easy to have all your procedures built around the idea that records X and Y come from independent sources, and then have technology undermine that assumption. The obvious example of this is rules for recounts and paper record retention which are applied to DREs; the procedures make lots of sense for paper ballots, but no sense at all for DREs. I wonder how many other areas of computer and more general security have this same kind of issue. Another example, possibly of some importance, is found in registers of births, marriages and deaths. Details of the relevant events were entered contemporaneously in local paper ledgers whose pages were numbered. (They were later, perhaps every quarter, copied to central registers.) As a result it was very difficult to create a backdated record, or remove an original one, without it being obvious. When registers consist of electronic databases, these natural protections silently disappear. They could be replaced, perhaps by publishing an authenticated hash of the register every week, and cumulative hashes periodically; but there is no sign of such methods being adopted. The Law Society of England and Wales suggested to the Land Registry that it should adopt some such methods for its electronic land registers, especially when the transactions recorded in the registers become electronic rather than paper transactions, as is planned. I have no reason to think this suggestion will take root. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
Florian Weimer wrote: * Nicholas Bohm: [EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. --dan I do. My bank provides an RSA SecureId, so I feel reasonably safe against anyone other than the bank. But it's just a token measure. You should be afraid of your own computer, your own network. SecureID does not authenticate the server you're going to send your data to. It does not detect if your computer is compromised. Sure, right now, it might help you personally, but once these simple tokens gain market share, attackers will adjust. It's not a general solution. I accept all that. I hope, not too confidently, that before the attackers adjust enough, banks will start giving their customers FINREAD type secure-signature-creation devices of decent provenance whose security does not rely on non-compromise of my PC or network. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
Kerry Thompson wrote: [EMAIL PROTECTED] said: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. I do. Although, only from PCs that I trust such as my linux box at home. And I keep a close watch on my bank statements. All things considered, its safer than posting cheques or distributing your credit card number around. That depends on how the risk of loss is allocated. This can vary between different legal systems, and may depend on the terms in force between bank and customer. For an exploration of this in the context of English law, see http://elj.warwick.ac.uk/jilt/00-3/bohm.html Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
[EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. --dan I do. My bank provides an RSA SecureId, so I feel reasonably safe against anyone other than the bank. I have no basis for knowing how good the bank's precautions against insider fraud are, but they phone back to confirm unusual instructions, and they ask for only fragments of passwords when they do, so there is evidence that they make sensible efforts to do the right thing. I have been a good customer for more than 30 years, it's a highly respectable specialist bank, I am a lawyer, and if I find a fake transaction on my account I believe I stand a good chance of fighting it. I know who to hire as an expert to investigate the bank's system when I have put it in issue in litigation. The aggregate of my balance and my credit limit is an amount I can afford to lose. In this context the convenience of online banking is enough to justify the risk. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: the effects of a spy
Perry E. Metzger wrote: Steven M. Bellovin [EMAIL PROTECTED] writes: Bruce Schneier's newsletter Cryptogram has the following fascinating link: http://www.fas.org/irp/eprint/heath.pdf It's the story of effects of a single spy who betrayed keys and encryptor designs. [...] One intriguing question that I was left with after reading the whole thing was not mentioned in the document at all. One portion of the NSA's role is to break other people's codes. However, we also have to assume that equipment would fall into the wrong people's hands at intervals, as happened with the Pueblo incident. If properly designed, the compromise of such equipment won't reveal communications, but there is no way to prevent it from revealing methods, which could then be exploited by an opponent to secure their own communications. Does the tension between securing one's own communications and breaking an opponents communications sometimes drive the use of COMSEC gear that may be too close to the edge for comfort, for fear of revealing too much about more secure methods? If so, does the public revelation of Suite B mean that the NSA has decided it prefers to keep communications secure to breaking opposition communications? Of historical interest on this question there is useful material in Between Silk and Cyanide by Leo Marks. Marks was responsible for ciphers used during WWII by SOE for communications with agents in German occupied Europe. He describes an episode when he was visited by people from Bletchley Park who were concerned that he was equipping agents with ciphers that (he deduced) were too strong for Bletchley Park to attack if they should fall into German hands and come into use by them. It is understandable, particularly during the Battle of the Atlantic, that UK priorities should have been to maintain the availability of breaks into enemy traffic even at the risk of hazarding communications with agents. (If Britain had failed in the Atlantic the war in the west would have been over. If SOE failed, there were no short-term consequences of similar seriousness.) The preservation of secrecy about those breaks for nearly thirty years after the end of the war suggests that those priorities may have become ossified, which may in turn account for excessive governmental anxieties over the spread of strong cryptography. Any change in these priorities would be of great interest. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How thorough are the hash breaks, anyway?
At 16:09 26/08/2004, Trei, Peter wrote: [snip] Looking over the recent work on hash collisions, one thing that struck me was that they all seem to be attacks on known plaintext - the 'plaintexts' which collided were very close to each other, varying in only a few bits. While any weakness is a concern, and I'm not going to use any of the compromised algorithms in new systems, this type of break seems to be of limited utility. It allows you (if you're fortunate) to modify a signed message and have the signature still check out. However, if you don't know the original plaintext it does not seem to allow you construct a second message with the same hash. [snip] From a lawyer's perspective, it seems worrying that a message into which the word not has been inserted might still have the same hash as the original (assuming the hash to be a component of an electronic signature) Regards Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishops Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
authentication and authorization (was: Question on the state of the security industry)
At 12:26 PM 7/1/2004, John Denker wrote: The object of phishing is to perpetrate so-called identity theft, so I must begin by objecting to that concept on two different grounds. Subsequent posters have doubted the wisdom of quibbling with the term identity theft. I think the terminology deserves some attention of its own. There is a long-established term, impersonation, which is wholly adequate to describe what is now called identity theft. Is this just a change of fashion? I suggest that there is more to the change. Impersonation as a term focuses attention on the fact that the criminal is deceiving someone in order to gain advantage by claiming to have some valuable characteristics or authorisations in fact belonging not to the criminal but to some other person. The person deceived is the primary victim in contemplation when this terminology is used. Identity theft, by contrast, suggests that the victim is the person impersonated, because his or her identity has been stolen. This way of looking at things implies that the losses which arise out of the impersonation fall on the person impersonated, rather than on the person deceived by the impersonation. Identity theft as a label is attractive to, for example, banks who may wish to suggest that losses must be carried by their customers because they failed to take proper care of their identity. I think the use of the term identity theft should alert us to the risk that victims of crime are trying to pass the blame and the loss to someone else. Regards Nicholas Salkyns, Great Canfield, Takeley, Bishops Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Fwd: Re: Non-repudiation (was RE: The PAIN mnemonic)]
At 11:42 07/01/2004 -0800, Ed Gerck wrote: Jerrold Leichter wrote: Now that we've trashed non-repudiation ... Huh? Processes that can be conclusive are useful and do exist, I read here, in the legal domain. It may not be so clear how such processes can exist in the technical domain and that's why I'm posting ;-) just how is it different from authentication? Using an information theory model, it's clear that authentication needs one channel of information (e.g., the CA's public key, the password list) in addition to the signal (e.g., a signed message, a username/password entry). Authentication rests on the information channel being trusted (i.e., independently verifiable). In this model, non-repudiation is different because it needs at least one additional out-of-band signal (where authenticated absence of the signal is also effective). BTW, that's why digital signatures per se are repudiable -- there's no second, out-of-band signal. An additional technical difference is that authentication promotes strength of evidence while non-repudiation promotes lack of repudiation of evidence. The latter is intuitively recognized to be stronger because a single, effective denial of an act can rebuke any number of strong affirmations. This also means, intuitively, that another difference exists. Non-repudiation should be harder to accomplish than authentication (you want more, you need to pay more). However, to the extent that the process *can be* conclusive, non-repudiation may be worth it. Imagine the added costs, time and hassle (going back to a real-world comparison) if your bank would have to call you to confirm payment for every check you sign? This would be the case if paying a check could not be cast as a conclusive process for the bank (i.e., without the possibility of an irrebuttable presumption of payability). In the UK, but not in other countries, there is a statutory rule which prevents a bank from debiting a customer's account with a forged cheque (if you will forgive the British spelling), with only very limited exceptions. If the customer repudiates a signature, it is for the bank to prove the genuineness of the signature, or suffer the loss. My bank has once or twice telephoned to check the genuineness of an unusual transaction, though this over a period of many years. This is not to disagree with your comments, but to observe that existing paper systems can work satisfactorily without non-repudiation rules. There are obvious advantages to some parties in such systems if it adopts a non-repudiation rule, probably matched with corresponding disadvantages for others. The change from paper to electronic systems of course also alters the balance of risks and the approach of banks to non-repudiation rules. I and colleagues have written about this at: http://elj.warwick.ac.uk/jilt/00-3/bohm.html Regards Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishops Stortford CM22 6SX, UK Phone01279 871272(+44 1279 871272) Fax020 7788 2198(+44 20 7788 2198) - please note new fax number Mobile07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF