CDR: Re: Non-Repudiation in the Digital Environment (was Re: First Monday August 2000)

[Ed Gerck]

"Arnold G. Reinhold" wrote:

> You may well be right about the accepted definition of
> non-repudiation, but if you are then I would amend my remarks to say
> that known cryptographic technology cannot provide non-repudiation
> service unless we are willing to create a new legal duty for
> individuals and corporations to protect their secret key or accept
> what ever consequences ensue.  I don't think that is acceptable.

Non-repudiation is, according to how myself and the PKIX WG consensus
views it, a useful concept both in technical as well as in legal terms.  Further,
neither myself nor the specific discussion in the PKIX WG saw any need to
require a specific legal framework to talk about technical applications
of the non-repudiation concept.  So, yes, technology can provide
for non-repudiation services and the question whether or not these
services are useful to provide evidences to a legal layer depends on
many *other* considerations -- such as for example the legal regime
(common law, civil law, statutes, contracts, etc.), which we do not control.
What we can do on the technical side is provide protocols (with and without
crypto -- for example, with timestamps that may be signed or made available
in a tamperproof public record) that support non-repudiation as a service that
prevents the denial of an act. This service is completely different from a
service that proves an act, which is authentication.  Neither of these services is
absolute, though, and thus the notion of non-repudiation cannot be of an
absolute answer. This is a common point between law and technology --
anything can be repudiated.

> I find the rest of your comment a tad too opaque.  Could you give
> some examples of what you have in mind?

You can check  for example
http://www.imc.org/draft-ietf-pkix-technr or
ftp://ftp.ietf.org/internet-drafts/draft-ietf-pkix-technr-01.txt

Cheers,

Ed Gerck