[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: non-ephemeral vs. non-repudiation, was Re: proposed key usage text

To: Al Arsenault <awa1@xxxxxxxx>
Subject: Re: non-ephemeral vs. non-repudiation, was Re: proposed key usage text
From: tgindin@xxxxxxxxxx
Date: Fri, 19 Nov 1999 14:52:32 -0500
Cc: Ed Gerck <egerck@xxxxxxx>, "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx

     There are multiple definitions of the word "denial" and one of them
yields a sensible meaning for Menezes' definition - see my elaboration
below.  If one assumes the most common definition of the word, as most of
us on the list have done, Menezes' definition is absurd - he must be using
this other one.

          Tom Gindin

Al Arsenault <awa1@home.com> on 11/18/99 09:36:43 PM

To:   Ed Gerck <egerck@nma.com>
cc:   "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org
Subject:  Re: non-ephemeral vs. non-repudiation, was Re: proposed key usage
      text




With all due respect to Ed Gerck and to Menezes, et alia, I must
disagree with Ed's proposed definition of non-repudiation.

The salient point is the absence of the word "falsely"; i.e.,

(Polk & Housley's proposed wording:)

  ...a non-repudiation service which protects against the signing entity
falsely denying some action...

(Menezes's definition, often quoted by Gerck:)

   Non-repudiation: a service that prevents the denial of a previous
act.

[Tom Gindin]  Here are the six definitions given in Webster's New World
Dictionary, boiled down to essentials: 1 - the opposite of compliance; 2 -
the opposite of affirmation; 3 - a disowning or repudiation (the example
given is a denial of one's family); 4 - a refusal to believe; 5 - a refusal
to give; 6 - abstinence.  Obviously, one of the first three definitions is
intended in the standard, and it seems likely to me that Ed and Menezes
intend number 3 (especially since the definition actually uses the term
repudiation), while almost everyone else (including me) thinks that number
2 is the main definition of the word.

To me, the presence of that word "falsely" is important.  Building a
service that purports to hold you responsible for something you can
prove beyond a doubt you didn't do is not in general useful.  (Although
I do acknowledge that there are some very rare situations where it is
useful and even necessary.  Those are not the general case, though.)

[Tom Gindin]   Given the definition of "denial" which Ed is using here, the
correct modifier for it would be "successfully" or "unsuccessfully" rather
than "falsely" or "truly".  However, I question how meaningful the
distinction is between an "unsuccessful denial" in this sense and a "false
denial" in the sense of the primary definition of "denial" (a claim that
something is either not true or not associated with one's self).

In addition, in my search of the technical literature, I find Menezes et
alia almost alone in this definition.  Almost everybody else includes
the word "falsely".  Check Schneier, for example.  Also, the write-up of
non-repudiation in Ford & Baum's "Secure Electronic Commerce" is one of
the better ones, in my opinion, and it certainly doesn't agree with
Menezes. So, I disagree with Ed's assertion that:

>
(snip)

Follow-Ups:
- Re: non-ephemeral vs. non-repudiation, was Re: proposed key usagetext
  - From: Ed Gerck

Prev by Date: Re: proposed key usage text
Next by Date: Re: non-ephemeral vs. non-repudiation, was Re: proposed key usage text
Previous by thread: Re: non-repudiation, was Re: proposed key usage text
Next by thread: Re: non-ephemeral vs. non-repudiation, was Re: proposed key usagetext
Index(es):
- Date
- Thread