At 4:37 PM -0700 10/16/2000, Ed Gerck wrote:
Borrowing from a private comment from Bob Jueneman, whatever the technical community decides that non-repudiation means, it probably isn't what the legal community means. So be it. Certainly the legal profession uses ordinary English words to mean other than their ordinary meaning in a particular context, and so do other professions.
This is the nub of our argument. I believe the terms we use influence how our technology will be interpreted in a societal and legal context and we therefore have an obligation to be as clear as possible. This is particularly important with technology such as digital signatures and certs which may profoundly alter the way individuals interact with the economic system.
No cryptographic technology that I am aware of can fairly be said to render the denial of an act impossible.
Of course not, and we agree this much. That is why I wrote earlier that non-repudiation is not a "stronger" authentication or a long-lived one. In my view, a non-repudiation proof could be disqualifed by an authentication proof. Non-repudiation does NOT trump authentication -- which is what this original thread (First Monday article) proposed, based on some mythical "trusted systems".
To the extent we agree here, I would urge you to help insure that this message is crystal clear in all specs and documents whose content you can influence. And don't rely on which dictionary's definition of "protect" is correct.
OTOH, some lawyers and lawmakers are oftentimes the first ones to use the term "identifty theft" -- which simply is not a theft, it is impersonation. I hope we in crypto don't have to use "identity theft" as well. And, they can continue to use it.
The problem goes beyond simple impersonation in that the victims subsequently find it difficult to convince large institutions that they are who they say they are. My understanding is that the term comes from victims' statements that they felt as if their identities had been stolen. See http://www.consumer.gov/idtheft/. The question is relevant here, not as just another parallel question of semantics, but because exactly how the legal system treats "non-repudiation" can make the identity theft problem much better or much worse. For what it's worth, when Congress responded to this problem by passing the Identity Theft and Assumption Deterrence Act of 1998, it did not define "identity theft" as a new crime, but merely amended 18 U.S.C. ยง 1028 "Fraud and related activity in connection with identification documents and information." The act includes provisions that appear to protect private keys, though they are not explicitly mentioned, while biometrics are (see 1028(d)(3)(C)). Arnold Reinhold