"Arnold G. Reinhold" wrote:
At 10:20 PM -0700 10/15/2000, Ed Gerck wrote:
Arnold,
Internet RFCs are technical specifications that use common English words in a strictly defined manner. To suggest that the use of names in computer code or Internet RFCs might have legal implications ... imagine lawyers examining some code and trying to attach meaning to variable names? Or to UNIX commands? For example, to kill or killall?
I don't have to imagine it. I have been on the witness stand trying to explain terminology in technical documents that was quoted out of context by opposing council. (We won, but it cost a bundle in legal fees and management time.) I would also remind you of the _NSAKEY flap and countless product liability cases where minutia in engineering documents played a pivotal role. Also there is a big difference between comments in source code or Unix command names and a technical specification, like an RFC, that undergoes a formal review and approval process. The last will be given much more weight.
Borrowing from a private comment from Bob Jueneman, whatever the technical community decides that non-repudiation means, it probably isn't what the legal community means. So be it. Certainly the legal profession uses ordinary English words to mean other than their ordinary meaning in a particular context, and so do other professions. BTW, consider the word "impregnable". Everyone knows what it means, right? Wrong! Consider the sentence "Alice is impregnable." It has two diametrically opposite meanings!
Context dependent vocabulary can become highly amusing or disastrous if taken in a universal context, as was recently pointed out in the PKIX list by Peter Gien when someone complained about the legal implications of "good" as defined in RFC 2560. Non-repudiation is not different. In the crypto and RFC realm it means "a service that prevents the denial of an act" [Handbook of Cryptography, X.509, PKIX]. Different lawyers in different countries may define whatever they want but I note that the legal use of "non-repudiation" by banks worldwide is very similar to "a service that prevents the denial of an act".
Even if your spec contained an explicit definition of "non-repudiation" that made clear its technical limitations, there is a high likelihood that the public and the legal system will be mislead. But the definition you cite dose not even do that. Here is what my "Random House Dictionary of the English Language" says about the meaning of "prevent:"
"... Prevent, hamper, hinder, impede refer to different degrees of stoppage of action or progress. To prevent is to stop something effectually by forestalling action and rendering it impossible: 'to prevent the sending of a message'..."
No cryptographic technology that I am aware of can fairly be said to render the denial of an act impossible.
Of course not, and we agree this much. That is why I wrote earlier that non-repudiation is not a "stronger" authentication or a long-lived one. In my view, a non-repudiation proof could be disqualifed by an authentication proof. Non-repudiation does NOT trump authentication -- which is what this original thread (First Monday article) proposed, based on some mythical "trusted systems". Regarding the word prevent, Merriam-Webster teaches that PREVENT implies taking advance measures against something possible or probable <measures taken to prevent leaks>. This is the first meaning -- after this comes ANTICIPATE and, at last, FORESTALL. So, while you say that Random House teaches that FORESTALL is the first meaning, I do not see as this as the rule. And, in this specific case it does not even make sense to use FORESTALL because there is nothing to be interrupted -- but it does make a lot of sense IMO to take advance measures against a probable or possible denial. So, non-repudiation is a service that take advance measures against a probable or possible denial of an act. In other words, PREVENTS the denial of an act. This is the standard meaning in cryptography applications. Maybe it is already similar or becomes similar to the meaning used by lawyers, or by banks. Good for them! OTOH, some lawyers and lawmakers are oftentimes the first ones to use the term "identifty theft" -- which simply is not a theft, it is impersonation. I hope we in crypto don't have to use "identity theft" as well. And, they can continue to use it. Cheers, Ed Gerck