--- begin forwarded text Date: Wed, 13 Nov 1996 04:11:08 -0500 (EST) X-Sender: field@pop.pipeline.com Mime-Version: 1.0 To: John Lowry <jlowry@BBN.COM> From: "Richard L. Field" <field@pipeline.com> Subject: RE: Question on non-repudiation Cc: set-discuss@commerce.net Sender: owner-set-talk@commerce.NET Precedence: bulk +----------------------------------------------------+ Addressed to: set-discuss@commerce.net +----------------------------------------------------+ As chair of the ABA's Electronic Commerce Payment Committee and a member of the drafting team for its Digital Signature Guidelines, I suppose I am one of the people expected to "solve" the non-repudiation problem through legal means. Notwithstanding any technical or procedural proofs, there is no absolute non-repudiation, as a legal matter, unless a statute is enacted to that effect. For consumers in the U.S., there is no indication that this will happen. The applicable laws governing credit cards and the consumer use of debit cards specify that the customer can repudiate any unauthorized transaction, and that it is left to his bank/issuer to prove that the transaction was actually performed by that customer or under his authority. Even if technical means are used to ensure that the customer will always retain solitary access control to the account (by biometric means, for example), he can still claim coercion, error with respect to legal capacity, etc. Where software-based keys are used to confirm identity and/or authority to enter into a transaction, there are additional risks of error or fraud associated with initially obtaining a key and tying it to an identity, as well as the ongoing association between the key and the identity and/or authority. In these cases some third party ("trusted" CA, etc.) could step in and contractually agree to bear all risk of customer repudiation, but given the relatively low value of the average transaction that would be unlikely. Additionally, in some countries laws may shift the risk of loss absolutely to the customer or otherwise prevent him from repudiating a transaction. To some degree, this is the direction taken in the U.S. laws governing commercial wire transfers. If there are any countries contemplating the enactment of laws that would absolutely bind a person whenever his private key has been used, I would be most interested in hearing about them. - Richard Field At 11:35 AM 11/12/96 -0500, you wrote:
+----------------------------------------------------+ Addressed to: set-discuss@commerce.net +----------------------------------------------------+
Not to be argumentative but non-repudiation can be established technically. The formal definition requires that through technical and procedural proofs a party cannot repudiate a transaction. The law may not recognize those techniques and procedures for contractual purposes today but the ABA is working on it....
------------------------------------------------------------------------ This message was sent by set-discuss@commerce.net. For a complete listing of available commands, please send mail to 'majordomo@commerce.net' with 'help' (no quotations) contained within the body of your message. --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "The cost of anything is the foregone alternative" -- Walter Johnson The e$ Home Page: http://www.vmeng.com/rah/