"Arnold G. Reinhold" wrote:
You may well be right about the accepted definition of non-repudiation, but if you are then I would amend my remarks to say that known cryptographic technology cannot provide non-repudiation service unless we are willing to create a new legal duty for individuals and corporations to protect their secret key or accept what ever consequences ensue. I don't think that is acceptable.
Non-repudiation is, according to how myself and the PKIX WG consensus views it, a useful concept both in technical as well as in legal terms. Further, neither myself nor the specific discussion in the PKIX WG saw any need to require a specific legal framework to talk about technical applications of the non-repudiation concept. So, yes, technology can provide for non-repudiation services and the question whether or not these services are useful to provide evidences to a legal layer depends on many *other* considerations -- such as for example the legal regime (common law, civil law, statutes, contracts, etc.), which we do not control. What we can do on the technical side is provide protocols (with and without crypto -- for example, with timestamps that may be signed or made available in a tamperproof public record) that support non-repudiation as a service that prevents the denial of an act. This service is completely different from a service that proves an act, which is authentication. Neither of these services is absolute, though, and thus the notion of non-repudiation cannot be of an absolute answer. This is a common point between law and technology -- anything can be repudiated.
I find the rest of your comment a tad too opaque. Could you give some examples of what you have in mind?
You can check for example http://www.imc.org/draft-ietf-pkix-technr or ftp://ftp.ietf.org/internet-drafts/draft-ietf-pkix-technr-01.txt Cheers, Ed Gerck