Re: Defining Non-Repudiation

Hi Tony,

many times I've asked myself the same question. What is non-Repudiation
? I came to the following conclusions:

The problem and the confusion caused by the term non-Repudiation is 
due to the fact that it is defined as a KeyUsage bit, so it's an 
attribute of the key contained in the certificate to distinguish keys 
or restrict the usage of the key.
Non-Repudiation really is no key attribute but a feature of the digital
signature and PKI concept. Now, people are trying to define how
non-Repudiation is related to a key and which implications does it have 
for the key..., e.g. the key must not be used for automatic signatures.

Let me try to define non-Repudiation:
Non-Repudiation of a transaction is usually achieved by a protocol 
using digital signatures where in the end of the protocol both parties 
have a contract signed by both parties. So none of the parties can
repudiate the transaction.
Non-Repudiation of a single signed message or object is achieved by
the cryptographical characteristics of assyemtric algorithms (only 
the holder of the private key can create the signature) combined with
the PKI concept (a trusted third party confirms the binding between
the key and the identity of the person).

> Talk of the "NR" bit being an indication of promised CA archiving 
> seems only to address case (B) above, and is a limited view of 
> non-repudiation.

The big important question is what is the meaning of the NR bit in the 
certificate used to create a signature ?
IMHO, verifying a signature using a NR certificate the verifier can 
be assured that:
  - the CA has carefully checked the identity information of the signer
  - the verifier may get information from my CA even long after my 
    certificate has expired
and maybe:
  - the signer is using a high quality signature software/hardware
  - the signer is using approved algorithms and key sizes

So non-Repudiation is a service offered by a CA by checking the
requestor's identity and signature components before issuing the
certificate and archiving the certificates for future use.
Due to the above characteristics I cannot repudiate my signature except
of an unoticed key compromise. So the meaning of the NR bit is more 
like something you would usually write in a policy. It's a quality mark 
of a certificate.

> Say you receive signed object, whose key certificate leads you to
> believe that the object was signed by me.  In turn, I repudiate
> the signature.  Does this mean:
> 
> A.  I claim that I have never been the (proper) owner of that key.
> 
>     I.e., someone must have represented themselves to a CA as me
>     in order to fraudulently obtain a certificate.  I may disclaim
>     having ever been in physical possession of the key.
 
this cannot happen if the CA is checking the identity information
properly (non-Repudiation service of the CA)

> B.  I claim that the signature was made after the certificate had
>     either expired or been revoked (regardless of who actually
>     effected the signature operation.)

I don't need to repudiate a signature after the certificate had either 
expired or been revoked because the signature is invalid anyhow.
The only case I need to repudiate a signature is if a revoked 
certificate expires and the revocation information is lost. In this 
case the CA is still able to tell when the certificate has been revoked
(non-Repudiation service of the CA)
 
> C.  I claim that I never (consciously or otherwise) performed the
>     signature operation in question, although I may be the current
>     key-owner and the key may have been (erroneously) "valid" at the
>     time of signature.

This is the case of an unnotice key compromise. 


Regards Petra

vcard.vcf
Description: Card for Petra Glöckner

smime.p7s
Description: S/MIME Cryptographic Signature