CDR: Re: Non-Repudiation in the Digital Environment (was Re: First Monday August 2000)

[Ed Gerck]

Arnold,

Internet RFCs are technical specifications that use common English words  in
a strictly defined manner. To suggest that the use of names in computer code
or Internet RFCs might have legal implications ...  imagine lawyers examining
some code and trying to attach meaning to variable names? Or  to UNIX
commands? For example, to kill or killall?

Context dependent vocabulary can become highly amusing or disastrous
if taken in a universal context, as was recently pointed out in the PKIX list
by Peter Gien when someone complained about the legal implications of
"good" as defined in RFC 2560.  Non-repudiation is not different.  In the crypto
and RFC realm it means "a service that prevents the denial of an act" [Handbook
of Cryptography, X.509, PKIX]. Different lawyers in different countries may
define whatever they want but I note that the legal use of "non-repudiation" by
banks worldwide is very similar to "a service that prevents the denial of an act".

Cheers,

Ed Gerck



"Arnold G. Reinhold" wrote:

> My concern is that the vast majority of informed lay people, lawyers,
> judges, legislators, etc. will hear "non-repudiation" and hear
> "absolute proof."  If you doubt this, read the breathless articles
> written recently about the new U.S. Electronic Signatures Act.
>
> I don't think technologists should be free to use evocative terms and
> then define away their common sense meaning in the fine print.
> Certainly a valid public key signature is strong evidence and
> services like that described in the draft can be useful. I simply
> object to calling them "non-repudiation services." I would not object
> to "anti-repudiation services,"  "counter-repudiation services"  or
> "repudiation-resistant technology." Would the banking industry employ
> terms like "forgery-proof checks," "impregnable vaults" or
> "pick-proof locks" to describe conventional security measures that
> were known to be fallible?