CDR: Re: Non-Repudiation in the Digital Environment (was Re: First Monday August 2000)

Tue Oct 17 08:03:39 PDT 2000

At 4:37 PM -0700 10/16/2000, Ed Gerck wrote:
>Borrowing from a private comment from Bob Jueneman, whatever the technical
>community decides that non-repudiation means, it probably isn't what the legal
>community means.  So be it.  Certainly the legal profession uses 
>ordinary English
>words to mean other than their ordinary meaning in a particular 
>context, and so
>do other professions.

This is the nub of our argument.  I believe the terms we use 
influence how our technology will be interpreted in a societal and 
legal context and we therefore have an obligation to be as clear as 
possible. This is particularly important with technology such as 
digital signatures and certs  which may profoundly alter the way 
individuals interact with the economic system.

> >
>> No cryptographic technology that I am aware of can fairly be said to
>> render the denial of an act impossible.
>
>Of course not, and we agree this much. That is why I wrote earlier that
>non-repudiation is not a "stronger" authentication or a long-lived one.
>In my view, a non-repudiation proof could be disqualifed by an authentication
>proof. Non-repudiation does NOT trump authentication -- which is what this
>original thread (First Monday  article) proposed, based on some mythical
>"trusted systems".

To the extent we agree here, I would urge you to help insure that 
this message is crystal clear in all specs and documents whose 
content you can influence. And don't rely on which dictionary's 
definition of "protect" is correct.

>
>OTOH, some lawyers and lawmakers are oftentimes the first ones to use the term
>"identifty theft" -- which simply is not a theft, it is 
>impersonation.  I hope we
>in crypto don't have to use "identity theft" as well. And, they can 
>continue to use it.
>

The problem goes beyond simple impersonation in that the victims 
subsequently find it difficult to convince large institutions that 
they are who they say they are.   My understanding is that the term 
comes from victims' statements that they felt as if their identities 
had been stolen.  See http://www.consumer.gov/idtheft/. The question 
is relevant here, not as just another parallel question of semantics, 
but because exactly how the legal system treats "non-repudiation" can 
make the identity theft problem much better or much worse.

For what it's worth, when Congress responded to this problem by 
passing the Identity Theft and Assumption Deterrence Act of 1998, it 
did not define "identity theft" as a new crime, but merely amended 18 
U.S.C. § 1028 "Fraud and related activity in connection with 
identification documents and information." The act includes 
provisions that appear to protect private keys, though they are not 
explicitly mentioned, while biometrics are (see 1028(d)(3)(C)).

Arnold Reinhold