|
|
|
Defining Non-Repudiation: msg#00300ietf.x509
The thread "Authentication vs. binding signature, and "ephemeral vs. perm" reveals several different interpretations of "non-repudiation". Say you receive signed object, whose key certificate leads you to believe that the object was signed by me. In turn, I repudiate the signature. Does this mean: A. I claim that I have never been the (proper) owner of that key. I.e., someone must have represented themselves to a CA as me in order to fraudulently obtain a certificate. I may disclaim having ever been in physical possession of the key. B. I claim that the signature was made after the certificate had either expired or been revoked (regardless of who actually effected the signature operation.) C. I claim that I never (consciously or otherwise) performed the signature operation in question, although I may be the current key-owner and the key may have been (erroneously) "valid" at the time of signature. A related question: Who has the "burden of proof" in each of the non-repudiation examples given above? The "repudiator" (ostensible signer), the "repudiatee" (relying party), or the certificate issuer (CA)? Talk of the "NR" bit being an indication of promised CA archiving seems only to address case (B) above, and is a limited view of non-repudiation. As a relying party, I would want to employ an independent agent in the archiving of materials that would bear upon the repudiability of any high-value transaction. Even this seems of limited value in covering all three cases. I guess I find it hard to understand how your purchase of an "expensive, high-class" certificate gives me greater assurance against non-repudiation on your part, at least as it relates to the examples given above. ___tony___ Tony Bartoletti LL SPI-NET GURU LL LL Computer Security Technology Center LL LL LL Lawrence Livermore National Lab LL LL LL PO Box 808, L - 303 LL LL LLLLLLLL Livermore, CA 94551-9900 LL LLLLLLLL email: azb@xxxxxxxx phone: 510-422-3881 LLLLLLLL |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | SV: Authentication vs. binding signature, and ephemeral vs.perman ent key usage: 00300, Hans Nilsson |
|---|---|
| Next by Date: | RE: Major comments on OCSP (and LDAP Sec: 00300, Alan Lloyd |
| Previous by Thread: | SV: Authentication vs. binding signature, and ephemeral vs.perman ent key usagei: 00300, Hans Nilsson |
| Next by Thread: | Re: Defining Non-Repudiation: 00300, Petra Glöckner |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
|
|
| News | FAQ | advertise |