RE: Defining Non-Repudiation

All,

There has been considerable discussion and debate on these
lists regarding the proper use of the DS and NR KeyUsage bits
in X.509v3 certificates.

Lets look at this from a legal perspective for a moment,
since a large part of digital signatures is being able
to place some reliance on the data that is digitally signed.

In the US, private contract law is governed primarily by the
laws of the various US states. Under the Uniform Commercial Code 
(in effect for many years now), as enacted by US state laws, 
a signature is defined as "any symbol executed or adopted by 
a party with the present intention to authenticate a writing". 

This means that my typed name at the bottom of this message
constitutes a valid "signature" under the law. This is a practice
many people use in their e-mails, and it has a binding effect
today, under present law. Were this e-mail digitally signed, you
"might" be able to consider it a signature, but only if it were
consciously signed by me with the "present intention to authenticate"
this message.

As a relying party this digital signature carries no more legal
weight that my typed signature below. In a dispute, you as the relier
would have the burden of proof that the signature on this message,
whether typed or digitally signed, was valid. The court and/or jury
would have to decide whether your reliance was "reasonable under
the facts and circumstances" of the matter. It would make no
difference what KeyUsage bit was set.

In determining "reasonable reliance" there is a broad continuum.
In the case of the typed signature: Do you personally know me?
What other information did you have about me? What other correspondence
have you received from me? Do you know my address and phone
numbers? etc. etc. In the case of the digital signature the same
questions would apply, plus: Do you understand anything about PKI?
Who issued the certificate? What application software did you use to
receive and verify the message?

In fact, most people outside of this mailing list would quite reasonably
have less comfort with this message were it digitally signed as opposed
to a typed closing signature.

Woe on the first relying party to litigate a repudiated digital 
signature. It will likely cost over US$100,000.

Fortunately, there is a way out of this messy state of affairs. And
it impacts the DS/NR question.

The US State of Illinois, after 18 months of study by the Illinois
Commission on Electronic Commerce and Crime, passed a new EC law
(to take effect July 1, 1999) titled the "Electronic Commerce
Security Act". This comprehensive law not only recognizes digital
signatures as being equally valid as a UCC (above) signature, but it
create a new class of signature called a "secure electronic signature"
and a new class of data record called a "secure electronic record".

To quote from the Commission's report: "Secure electronic records and 
secure electronic signatures define categories of records and 
signatures that are accorded heightened evidentiary presumptions 
because of their enhanced reliability and trustworthiness, 
just as notarized documents are accorded heightened evidentiary 
presumptions for the same reason.  The concept of a secure electronic 
record and a secure electronic signature is critical to enabling 
electronic commerce.  Businesses will be much more willing to enter 
into commercial transactions, extend credit, commit resources, 
ship goods, or otherwise rely on messages from contracting parties 
transmitted over public networks such as the Internet when they can 
be assured that such records and signatures will be accorded the 
heightened evidentiary presumptions necessary to effectively make 
their transactions nonrepudiable."

The effect of this is that a relying party may presume that a
"secure electronic signature" is valid and in a dispute the burden
of proof shifts to the signer to rebut the presumption.

This is the quality we would all like in a non-repudiable 
digital signature. It will be necessary for other jurisdictions to
follow the Illinois lead in order to give us the PKI world we would
want (at least as far as digisig is concerned). I would urge Petra
to consider this approach in the German legislation.

In order to achieve this GOLD CARD level of non-repudiation the law
provides as follows:

----START
Section 10-110.  Secure electronic signature.

(a)     If, through the use of a qualified security procedure, 
it can be verified that an electronic signature is the signature of a 
specific person, then such electronic signature shall be considered to 
be a secure electronic signature at the time of verification, if the 
relying party establishes that the qualified security procedure was: 

      (1)       commercially reasonable under the circumstances, 

      (2)       applied by the relying party in a trustworthy manner,
and

      (3)       reasonably and in good faith relied upon by the relying
party.

(b)     A qualified security procedure for purposes of this Section is a

security procedure for identifying a person that is:

        (1)     previously agreed to by the parties, or

        (2)     certified by the Secretary of State in accordance with 
Section 10-135 as being capable of creating, in a trustworthy manner, 
an electronic signature that:

      (A)       is unique to the signer within the context in which it
is used;

      (B)       can be used to objectively identify the person signing
the 
electronic record;

      (C)       was reliably created by such identified person, (e.g., 
because some aspect of the procedure involves the use of a signature 
device or other means or method that is under the sole control of such 
person), and that cannot be readily duplicated or compromised, and

      (D)       is created, and is linked to the electronic record to
which it relates, in a manner such that if the record or the signature
is intentionally or unintentionally changed after signing the electronic
signature is invalidated.

----END

So, what's a qualified security procedure in the case of digital
signatures?
The law provides:

----START
Section 15-105.  Secure electronic signature.  A digital signature that 
is created using an asymmetric algorithm certified by the Secretary 
of State under item (2) of subsection (b) of Section 10-110 shall be 
considered to be a qualified security procedure for purposes of 
identifying a person under Section 10-110 if:

(1)     The digital signature was created during the operational period 
of a valid certificate, was used within the scope of any other 
restrictions specified or incorporated by reference in the certificate, 
if any, and can be verified by reference to the public key listed in 
the certificate; and

(2)     The certificate is considered trustworthy (i.e., an accurate 
binding of a public key to a person's identity) because the certificate 
was issued by a certification authority in accordance with standards, 
procedures, and other requirements specified by the Secretary of State, 
or the trier of fact independently finds that the certificate was issued

in a trustworthy manner by a certification authority that properly 
authenticated the subscriber and the subscriber's public key, or 
otherwise finds that the material information set forth in the 
certificate is true.
----END

So, what are the implications for the PKIX draft and this debate
about DS/NR keybits?

I believe the Illinois ECS Act gives us strong guidance on the direction
of the law (at least US law). The key issue for PKIX is expressed in
paragraph 1 of Section 15-105 above. Namely, that the digital signature
"was used within the scope of any other restrictions specified or 
incorporated by reference in the certificate, if any...".

IMHO, this says that it's really up to the CA and what they say in
their CPS and any Certificate Policies adopted by the CA. If a CA
adopts the PKIX profile, which they don't have to, then it would be
up to the CA to further clarify the meaning of the NR bit in their
certificates. To me, the NR bit is a requirement for any CA whose
certificates will be used in an open environment, and whose certs
are intended to establish the kind of non-repudiation contemplated
by the Illinois law. The DS bit is irrelevant in this context.

Of course it would be great if the application software would pay
any attention at all to the v3 extensions in a certificate. But,
that's another story.


Bill Brice, Chief PKI Architect
International DataTrust
PO Box 670789
Dallas, TX 75367-0789
+1.214.706.9320 (direct), +1.214.706.9321 (fax) 

P.S. I'm not an attorney. While I participate in the American Bar
Association's Information Security Committee, these opinions are
my own and you should conduct your own investigation and seek
you own legal advice on these matters. :)