[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: PGP - non-nonrepudiation

To: "Carl Ellison" <cme@xxxxxxx>
Subject: RE: PGP - non-nonrepudiation
From: "Black Unicorn" <unicorn@xxxxxxxxxx>
Date: Fri, 5 Feb 1999 22:54:43 -0600
Cc: "William H. Geiger III" <whgiii@xxxxxxxxxx>, "Edwin Cremer" <eddy@xxxxxxxxxxxxxxx>, <ietf-open-pgp@xxxxxxx>
Importance: Normal
In-reply-to: <>
Keywords: direct
List-archive: <http://www.imc.org/ietf-open-pgp/mail-archive/>
List-unsubscribe: <mailto:ietf-open-pgp-request@imc.org?body=unsubscribe>
Sender: owner-ietf-open-pgp@xxxxxxx

> -----Original Message-----
> From: Carl Ellison [mailto:cme@xxxxxxx]
>
> At 06:02 PM 2/5/99 -0600, Black Unicorn wrote:
> >Not a bad idea, maybe, if there were no requirement for
> non-repudiation by
> >the receiving party.  (And if there isn't, then what's the point of this
> >solution?)
>
> Sorry, but you hit one of my buttons.
>
> What do you (or does anyone else) mean by non-repudiation?

I avoided getting into picking one of the 20 kinds of non-repudiation
because non-repudiation is a process, not an event.

It's moot anyhow as I quite directly defined what I was looking for.
Specifically:

"Take the example of a brokerage which needs to incontrovertibly prove a
client (or a client's key) ordered a given transaction."

> To me, it means that I can take you into a courtroom and prove, somehow,
> that you signed the digitally signed message I hold in the floppy
> in my hand.

To digress:

In your context that can't be proven even if you have witnesses to the act
and a tape recording.  (Witnesses are notoriously unreliable.  The tape was
out of context, or has been modified).

There are always arguments against certain facts.  If "truth" was really
accessible we wouldn't need the judicial process.  The point is to give one
enough evidence to be persuasive of the truth, not to establish it.

> That means that the mechanisms we have set up defeat all your attempts to
> defend yourself against that accusation.  That is, you are unable to
> repudiate the signature because of the mechanism we have established.
>
> Tell me how I can prove otherwise when you claim:
>
> 1.	my private key was on my computer, but I didn't sign that
> message. I
> never saw that message.  It is quite possible that someone else found my
> computer logged in while I was in the bathroom and signed that
> message with
> my computer.  Therefore, you need to track down and bring in that
> other person.

"But the agreement you signed with the brokerage waives the brokerage's
liability for transactions where your keys are used."

This is, in fact, being done today with e.g., passwords and faxes.
Historically this kind of risk allocation has been done with checks as well.
If the signature is actually forged and the bank still cashes the check,
they are liable.  If it is not forged (the client put it on a blank check
which was then lost) then the client eats it.  I think this is unacceptable.

This is impossible to do given the lack of functionality I have pointed out.

"But you seem to have failed to follow the brokerage's password policy,
which absolves the brokerage of liability."  (Like leaving your keys in the
car).

Can't even get to this point if you can't establish that the signature was
at least made from the client's key.

> 2.	I was at my computer when that message was allegedly
> signed, but I never
> saw it and never signed it.  I did try to sign some other message -- even
> put my thumb to the thumbprint reader to release the signing key
> -- but that
> signature attempt failed, so I had to do it again.  There could
> have been a
> virus on my machine that used my unlocking of the private key to sign the
> message in question.

"But the agreement you signed with the brokerage waives the brokerage's
liability for transactions where your keys are used."

> etc.

Yes, etc.

> 	--------------------------------------------------
>
> This is just the start of possible defenses.  After I made a list
> of them a
> little longer than this, I came to the simplifying conclusion
> that we should
> never use the term "non-repudiation" and should, in fact,
> strongly reprimand
> anyone who tries to.

I concede that non-repudiation and its definition are issues but this is
more than a bit defeatist.  The excuse that "non-repudiation is too
non-defined for us to try and accommodate any functionality that approaches
it" is just silly.

I could apply this approach to encryption.  "Why bother to encrypt?  I have
no idea who's at the other end.  Anyone could be a man in the middle for my
friend.  They could sniff it with a Trojan horse on his computer.  They
could put a video camera in his ceiling and watch his screen, or his
keyboard."  This is effectively the approach you are taking.

My point is that the brokerage does not now have the tools to even provide
evidence of the signature in the first place, which- in fact- makes use of
the signature pointless as it provides not even the slightest advance in
non-repudiation.  Might as well just keep taking passwords or use
handwriting analysis.

If you want this software to be utilized in places where it counts, which is
of course why we are in this game, or should be, then you have to improve
the product/protocol, not try to explain why functionality that is
needed/useful doesn't exist.

>  - Carl

Mr. Geiger points out that this functionality, or lack thereof, is not a
consequence of the OpenPGP data structure itself.  Insofar as that is so
this discussion is probably out of place anyhow.

Follow-Ups:
- RE: PGP - non-nonrepudiation
  - From: Carl Ellison

References:
- Re: PGP - non-nonrepudiation
  - From: Carl Ellison

Prev by Date: Re: PGP - non-nonrepudiation
Next by Date: RE: PGP - non-nonrepudiation
Previous by thread: Re: PGP - non-nonrepudiation
Next by thread: RE: PGP - non-nonrepudiation
Index(es):
- Date
- Thread