I think it's important to realize that non-repudiation is a legal determination, rather than a cryptographic outcome. While digital signatures and PKI are certainly big enablers of achieving non-repudiation for electronic transactions, we cannot really claim something digitally signed provides non-repudiation. What Stephen says is exactly right. There is nothing that keeps someone from trying to repudiate a digitally signed transaction in court, and the courts may decide that there are grounds for repudiating a transaction based on any number of factors. With that said, it is difficult to think of dependable ways that would achieve the necessary controls to claim non-repudiation without digital signatures. While online transactions and audit logs are for now sufficient in most cases to defend against repudiation, I do believe the day will come where a major attack across financial institutions will challenge the widely accepted "good-enough" security models.

Hope that helps.

Take care,

Bill Russell
Chief Technology Officer
Pericore, Inc.
www.pericore.com
(O) 703-327-2573
(M) 571-334-1671




-----Original Message-----
From: pkix-***@ietf.org [mailto:pkix-***@ietf.org] On Behalf Of Stephen Wilson
Sent: Friday, March 12, 2010 2:40 PM
To: ***@kisa.or.kr; ***@ietf.org
Subject: Re: [pkix] Non repudiation in internet banking



This is the best example of why technical "Non Repudiation" is a myth.
There are many many ways to make it difficult for someone to falsely
repudiate a transaction. You do not need PKI to create "non repudiation".

If it WAS unique in this regard then consider this thought experiment. I
could go to my bank and try to repudiate every Internet transaction I
ever made, because none of them were digitally signed. I would say to
the bank, "I did not make those transactions and because you're NOT
using non-repudiable PKI, then you cannot STOP me repudiating them. But
they would respond "You sound like a weirdo, we've got the audit logs
that prove what you did, see you in court".

Another thought experiment: imagine that the NR bit is asserted / not
asserted in someone's certificate. The subject ends up in court and
lawyers start arguing about whether the subject really did undertake
some digitally signed transaction, and whether they meant to be bound by
their digital signature. The case will turn on evidence relating to the
subject's truthfulness and credibility, and the software's user
interface. I cannot imagine that the state of the NR bit is going to
have any bearing at all. Most subjects won't even know if the bit is
asserted or not. All the NR bit provides is a degree of ass-covering for
CAs to flag whether or not their certificates are to be 'taken
seriously'. Even if an expert witness convinced the judge that the NR
bit had some meaning, the more pressing question would still be, Did the
subject knowingly undertake a transaction by invoking their private key
with the intent to be bound? If something goes wrong and the CA is being
joined in some legal action, then the question of their liability will
similarly have almost nothing to do with the state of the NR bit, it
will have to do with the Ts&Cs and the representations the CA made to
the subject about what the certificate is good for. The NR bit should be
consistent with those representations but its actual state will have
almost no bearing on the CA's liability.

Has there been any experience of this sort of dispute in practice where
the NR bit came into play?

I sincerely believe that "non repudiation" has proven to be one of the
most unhelpful properties claimed for PKI. Personally I never ever use
it when promoting the benefits of PKI. I should syat that I remain a
very big fan and advocate of PKI in Australia and SE Asia. But I
concentrate on the benefits of being able to strongly bind a signatory's
digital credentials to their transactions by digital signature such that
the credentials and the authentication remain verifiable for a very long
time, by essentially any relying party, because they're a snapshot of
the issuer's relationship to the subject. These properties are
unnecessary in real time hub-and-spoke transsctions like Internet
banking, but they are mission critical in going paperless in e-health,
superannuation, property conveyancing and the like, because credentials
of signers are not available in the future, when old transactions like
presecriptions, health records, and property deeds need to be re-validated.

Cheers,

Stephen Wilson
Managing Director
Lockstep Group

Phone +61 (0)414 488 851

www.lockstep.com.au <http://www.lockstep.com.au>


Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
_______________________________________________
pkix mailing list
***@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

If we look at the widely adopted definition of el. signature we can see
that it's technologically neutral. PKI is one of possible but the most
advanced implementation. And even in this role PKI based solutions alone
do not play definitive role in making transactions/documents legally
binding. Provisions of CP/CPS and Signature policy in combination with
signature creation software make up an environment where interests of
all parties of transactions are equally met.

Today banks almost automatically treated as more trusted than their
customers:

http://www.stephenmason.eu/articles/banking-the-pin-and-the-atm/

How many banks accept electronically signed money transfer orders?
Almost 0. Why? Because authentication+audit logs approach has not the
functionality provided by el. signatures. It's time to clearly
distinguish the two categories. NR (content commitment) or DS
(digital signature) bits in the X.509 certificate are only a small part
of the game.

M.D.
cell: +370-699-26662

The problem is with the term "non-repudiation", not with the concept of
data integrity provided by symmetric vs. asymmetric mechanisms.

Nobody has claimed that non-repudiation cannot be achieved without the
use of digital signatures.

What has been claimed is that a symmetric message authentication code
can be created by anyone able to validate it (all recipients as well as
the sender), whereas an asymmetric digital signature can be created only
by the private key holder(s) while others are able to validate it.
Using the term "non-repudiation" to refer to that third-party
provability property is perhaps understandable, but in hindsight was
probably the worst choice of terms ever.

Non-repudiation also refers to asymmetric private keys that were not
deliberately shared, to distinguish them from shared private keys such
as those used for both signature and encryption. Poor choice of words
in this case too, but the concept of single-holder vs. multiple holder
is not a myth.

Dave



-----Original Message-----
From: pkix-***@ietf.org [mailto:pkix-***@ietf.org] On Behalf Of
Stephen Wilson
Sent: Friday, March 12, 2010 2:40 PM
To: ***@kisa.or.kr; ***@ietf.org
Subject: Re: [pkix] Non repudiation in internet banking

This is the best example of why technical "Non Repudiation" is a myth.
There are many many ways to make it difficult for someone to falsely
repudiate a transaction. You do not need PKI to create "non
repudiation".