Re: Non-repudiation (was RE: The PAIN mnemonic)

Carl Ellison wrote:
>         If you want to use cryptography for e-commerce, then IMHO you need a
> contract signed on paper, enforced by normal contract law, in which one
> party lists the hash of his public key (or the whole public key) and says
> that s/he accepts liability for any digitally signed statement that can be
> verified with that public key.

One of the things my paper discusses is that under UK law a signature on 
an email is just as binding as on paper, because contracts are all about 
intent to be bound and not the medium in which they are captured. Of 
course, if you want to repudiate an email it is probably easier, 
especially if you signed it by typing your name at the bottom (yes, this 
is a valid signature under UK law), but that's a judgement call on the 
part of the relying party.

>         Any attempt to just assume that someone's acceptance of a PK
> certificate amounts to that contract is extremely dangerous, and might even
> be seen as an attempt to victimize a whole class of consumers.

Agreed - as I say, its all about intent and reliance. Nothing is automatic.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx