CDR: Re: Non-Repudiation in the Digital Environment (was Re: First Monday August 2000)

Ed Gerck egerck at nma.com
Mon Oct 16 16:37:01 PDT 2000 


"Arnold G. Reinhold" wrote:

> At 10:20 PM -0700 10/15/2000, Ed Gerck wrote:
> >Arnold,
> >
> >Internet RFCs are technical specifications that use common English words  in
> >a strictly defined manner. To suggest that the use of names in computer code
> >or Internet RFCs might have legal implications ...  imagine lawyers examining
> >some code and trying to attach meaning to variable names? Or  to UNIX
> >commands? For example, to kill or killall?
>
> I don't have to imagine it. I have been on the witness stand trying
> to explain terminology in technical documents that was quoted out of
> context by opposing council. (We won, but it cost a bundle in legal
> fees and management time.) I would also remind you of the _NSAKEY
> flap and countless product liability cases where minutia in
> engineering documents played a pivotal role.  Also there is a big
> difference between comments in source code or Unix command names and
> a technical specification, like an RFC, that undergoes a formal
> review and approval process.  The last will be given much more weight.

Borrowing from a private comment from Bob Jueneman, whatever the technical
community decides that non-repudiation means, it probably isn't what the legal
community means.  So be it.  Certainly the legal profession uses ordinary English
words to mean other than their ordinary meaning in a particular context, and so
do other professions.

BTW, consider the word "impregnable".  Everyone knows what it means, right?

Wrong!

Consider the sentence "Alice is impregnable."  It has two diametrically opposite meanings!

> >Context dependent vocabulary can become highly amusing or disastrous
> >if taken in a universal context, as was recently pointed out in the PKIX list
> >by Peter Gien when someone complained about the legal implications of
> >"good" as defined in RFC 2560.  Non-repudiation is not different.
> >In the crypto
> >and RFC realm it means "a service that prevents the denial of an
> >act" [Handbook
> >of Cryptography, X.509, PKIX]. Different lawyers in different countries may
> >define whatever they want but I note that the legal use of
> >"non-repudiation" by
> >banks worldwide is very similar to "a service that prevents the
> >denial of an act".
>
> Even if your spec contained an explicit definition of
> "non-repudiation" that made clear its technical limitations, there is
> a high likelihood that the public and the legal system will be
> mislead. But the definition you cite dose not even do that. Here is
> what my "Random House Dictionary of the English Language" says about
> the meaning of "prevent:"
>
> "... Prevent, hamper, hinder, impede refer to different degrees of
> stoppage of action or progress. To prevent is to stop something
> effectually by forestalling action and rendering it impossible: 'to
> prevent the sending of a message'..."
>
> No cryptographic technology that I am aware of can fairly be said to
> render the denial of an act impossible.

Of course not, and we agree this much. That is why I wrote earlier that
non-repudiation is not a "stronger" authentication or a long-lived one.
In my view, a non-repudiation proof could be disqualifed by an authentication
proof. Non-repudiation does NOT trump authentication -- which is what this
original thread (First Monday  article) proposed, based on some mythical
"trusted systems".

Regarding the word prevent, Merriam-Webster teaches that PREVENT implies
taking advance measures against something possible or  probable
<measures taken to prevent leaks>.  This is the first meaning -- after this
comes ANTICIPATE and, at last, FORESTALL.  So, while you say that Random
House teaches that FORESTALL is the first meaning, I do not see as this as the rule.
And, in this specific case it does not even make sense to use FORESTALL because
there is nothing to be interrupted -- but it does make a lot of sense IMO to take
advance measures against a probable or possible denial.

So, non-repudiation is a service that take advance measures against a probable
or possible denial of an act. In other words, PREVENTS the denial of an act.

This is the standard meaning in cryptography applications.  Maybe it is already
similar or becomes similar to the meaning used by lawyers, or by banks.  Good for
them!

OTOH, some lawyers and lawmakers are oftentimes the first ones to use the term
"identifty theft" -- which simply is not a theft, it is impersonation.  I hope we
in crypto don't have to use "identity theft" as well. And, they can continue to use it.

Cheers,

Ed Gerck

More information about the cypherpunks-legacy mailing list