Re: Defining Non-Repudiation

I went through a 6 month process in finalizing our certificate policy in
cooperation with Sweden's best legal experts in this area.

May I very shortly offer some of our basic conclusions:

1) When a CA issues a certificate it will be tied to some defined
liabilities towards subscribers and relying parties.

2) The CA can state limitations on these liabilities for damages in certain
situations which may include limitations of liability if the certified key
was used in conflict with its key usage definitions.

3) The CA does not guarantee anything except that it will follow the
practices and procedures defined by the policy, and specified by its CPS.

4) If the CA identifies the key usage "non-repudiation" in a certificate,
this will only tell the signing entity and the relying party that the CA
will be bound by its liabilities if the key is used for such service.

5) If a signature is repudiated the involved entities are faced with a
dispute resolution procedure, according to law and/or their mutual
agreements, which might take place in court. In this procedure the parties
will provide evidence for their case. Such evidence may include the
certificate, certificate policy and the CPS undertaken by the CA as a help
to establish the evidence value of the signature.

6) If the dispute resolution leads to losses for some entities, due to an
incorrect issued certificate or other faliure by the CA, the party
suffering from losses may claim compensation from the CA. In this case the
CA may be liable for some part of the losses IF the CA has failed to meet
its obligations. 

So non-repudiation is nothing definite and it includes several aspects and
independent relations. The main relation subject to non-repudiation
services and their resolution is however always between the signing entity
and the relying party. It is only they who in the end defines the exact
meaning of a specifics non-repudiation service. The only reason for them to
stay within the CA:s definition of non-repudiation is to have a possibility
to make the CA liable for losses in some cases of disputes.

However, any non-repudiation service has to stay within the general
definitions, supplied by X.509 and PKIX, to expect any evidence value. This
is why these definitions are so important.  

Hope this helps in sorting things out.

/Stefan



At 11:03 AM 8/21/98 -0700, you wrote:
>All,
>
>I agree with the gist of what most of you have stated.  In general terms,
>we all know that the CA is responsible for catching attempts at fraudulent
>certificate subscription.  Neither the relying party, nor the impersonated
>victim can assist in this prevention.
>
>We also know that the use to which a private key is put is under the control
>of the key-holder (subscriber).  Unless I am mistaken, it is also the
>subscriber who has (marginal) control of the "signing software".  I also
>believe that most signing software does not demand the presence of a valid
>certificate in _applying_ the key (please correct me if I am wrong).
>
>Also, the "enduring signature" (allowing validation after cert expiration)
>certainly required some archiving of certs and/or CRLs by someone...
>
>Finally, it is the relying party that controls the "validation software",
>which does (can) demand appropriate certificates be present to successfully
>process a signed transaction.
>
>Given all of this, the intent of the "NR" bit should be described in terms
>of what (pkix-compliant) software is forced to rely upon it, and with what
>implications.  Otherwise it seems to be nothing more than an advisory, or
>at most, a promise of greater "due diligence" from the CA in exchange for
>a bigger pile of coins.
>
>I update the scenarios I gave previously, for thought:
>
>1.  Claim Fraudulent Subscription.
>
>    As a criminal, I take the effort to impersonate you so well (false IDs)
>    that I get a CA to issue a "NR" cert to me in your name, etc.  Granted
>    the CA followed their CPS to the letter, but were still fooled.
>
>    In this case, what does the NR bit do for anyone (except the criminal.)
>
>2.  Claim Flawed Validity:
>
>    A (possibly expired) key is used to sign a transaction where the signing
>    date is abused.  The criminal "backdates" the signature.  Is this even
>    an NR-case at all?  Here, it seems it is the relying party that will
>    want to repudiate the validity.
>
>3.  Claim Covert Compromise:
>
>    Despite your best efforts, someone stole your key (or so you claim).
>    Where, if at all, does the NR-bit affect this situation?
>
>I hope I am not coming across as obstructionist.  I simply do not understand
>what the NR-bit is saying, and to whom it is speaking.  Enlightenment
welcome!
>
>___tony___
>
>Tony Bartoletti                                             LL
>SPI-NET GURU                                             LL LL
>Computer Security Technology Center                   LL LL LL
>Lawrence Livermore National Lab                       LL LL LL
>PO Box 808, L - 303                                   LL LL LLLLLLLL
>Livermore, CA 94551-9900                              LL LLLLLLLL
>email: azb@xxxxxxxx   phone: 510-422-3881             LLLLLLLL
>
>
-------------------------------------------------------------------
Stefan Santesson                <stefan@xxxxxxxxxxx>
Accurata Systemsäkerhet AB     
Lotsgatan 27 D                  Tel. +46-40 152211              
216 42  Malmö                   Fax. +46-40 150790              
Sweden                        Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------