[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Please discuss: draft-housley-evidence-extns-00<

To: "Omirjan Batyrbaev" <batyr@xxxxxxxxxxxx>
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
From: <home_pw@xxxxxxx>
Date: Thu, 11 Jan 2007 11:33:01 -0800
Cc: tls@xxxxxxxx
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <200701102032.VAA12262@xxxxxxxxxxxxxxxxxxx> <>

I've lost track of the URL, but somewhere on anMSN/Microsoft site it once had a click-signature mechanism."Click the Agree button" to be legally bound to something,over the SSL channel. That is not particularly remarkable,of course. However, there was specific and remarkable legalblurb justifying this as an "electronic signature". I recallreading it, wide-eyed.

One can gauge the trustworthiness of that "https signature"based on classical evaluation analysis (a) was the httpsimplementation/ciphersuite/CA good enough (b) was the HTMLrendered in Microsoft's IE product c) Is the browser and OSassured to ensure nothing else on the PC could interferewith the rendering of the server's-page ...and its dynamicbutton and event generation/communication. Absent an NCSCevaluation report thereto, the only party that can argue oneway or the other is of course the vendor - which justhappened to be Microsoft of course.

So, I think this was an edge case, that only an MSN site canmake this claim for a click signature, because it hascomplete control over the trusted technology being applied(being an arm of Microsoft, the product maker of IE, https,MSN Servers, etc). However, to be an electronic signature,there has to be a recordation act. Presumably, the MSN auditlogs have the details of the ciphersuite used, the browserheaders, and perhaps even the SSL session pdus for replay.


----- Original Message -----
From: "Omirjan Batyrbaev" <batyr@xxxxxxxxxxxx>

To: <martin.rex@xxxxxxx>; "Stefan Santesson"<stefans@xxxxxxxxxxxxx>

Cc: <tls@xxxxxxxx>
Sent: Wednesday, January 10, 2007 12:54 PM

Subject: Re: [TLS] Please discuss:draft-housley-evidence-extns-00<

At

least in US and at least one big b2b exchange said thatthey have a simplenon-repudiation practice: they make customers (buyers andsellers) to signthe agreement that stipulates that whatever is the recordof a transactionin the exchange database that holds as the non-repudablerecord. (the namewitheld due to the NDA). So they have no need for evenapplication levelnon-repudiation. So as Stefan pointed out the b2b simplyuses http today.




_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
  - From: Steven M. Bellovin

References:
- Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
  - From: Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
  - From: Omirjan Batyrbaev

Prev by Date: Re: [TLS] Please discuss: draft-housley-evidence-extns-00 - use to
Next by Date: RE: [TLS] Please discuss: draft-housley-evidence-extns-00 - use to
Previous by thread: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
Next by thread: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
Index(es):
- Date
- Thread