OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: OBO John Messing fwd: RE: [pki-tc] The need for "Non-repudiation" [was: Why did secure e-mail fail? ...

This is forwarded on behalf of John Messing, who reports trouble posting to
the list. 

And John, many thanks again from me, very helpful stuff. 

Stephen Wilson.

Forwarded Message:
From:    John Messing
To:      Stephen Wilson <swilson@lockstep.com.au>
Subject: RE: [pki-tc] The need for "Non-repudiation" [was: Why did secure
e-mail fail? ...
Date:    Dec 19, 2005

> In a very short answer, no. Non-repudiation is not a legal term. As a
> fellow technologist lawyer once aptly commented to the ABA Information
> Security list, "if the issue of non-repudiation is on the table,
> repudiation has already occurred." (I paraphrase the exact wording).
> Non-repudiation is a PKI term that has trickled into certain non-US
> legal systems, largely through tireless efforts of certain Verisign
> lawyers to get agreement to its vision of a PKI world as expressed in
> its certificate practice statement in an international setting in the
> 1990's. The US legal system is not one of those which recognizes the
> term at all. The NR bit has no legal status as such. It could be one
> piece of evidence for a court to consider whether a person logically
> associated his or her identity with an intent to be bound, though the
> introduction into evidence of the NR bit or its absence would depend
> upon human expert testimony in order to explain to judges and other
> non-technical persons how it works, and the result would not be
> automatically considered or weighed.
> The assumption that a judge would accept the NR bit as a boolean
> assertion with nothing else needed to resolve a dispute over the
> binding effect of a digital signature affixed by a person is a
> technogist''s vision that ignores the basic workings of the legal
> system.
> I personally think of electronic signatures as legal/technical beasts.
> I see three different dimensions or planes. First there is the physical
> world. The second is the moral/legal realm. The third is the digital
> world.
> A signature has its genesis in human intention and is a moral
> declaration to stand behind a representation of certain facts as true,
> or to commit to do something in the future, as a promise. The intention
> is expressed through a symbolic act. In the physical world, one affixes
> one's autograph with the intent to be bound in order to achieve a
> legally recognized signature. (There are other dimensions to legally
> binding obligations, but I am focusing only on the signature aspect
> now).
> In the electronic world, in the United States under the State-based
> Uniform Electronic Transactions Act (UETA), the parties can determine
> the method of signing either by implication or expressly, within
> certain restrictions that are imposed by the federal Esign legislation
> for obligations that cross state lines or international borders. If we
> exchange emails as private parties about a transaction and we can be
> said to have intended to be bound by the emails to specific
> obligations, then there is likely a binding legal contract based solely
> upon the use of the email addresses as the chosen method of signing, but
> it is primarily a question of how our intentions can be divined by a
> court after the fact based upon our actions as objectively viewed using
> the standard of how they appear to a reasonable person.
> Bits and bytes have very little to do with the determination, unless
> they can help further the moral/legal inquiry. So far, there is no
> reported attempt to employ the NR bit to do so in any reported US
> appellate cases at the state or federal level.
> There was a federal bankruptcy case where a person was allowed to
> disavow an electronic signature, but that was based upon a perceived
> failure of certain telephonic communications between the alleged signer
> and a remote individual who was supposed to affix the signature by
> proxy, and so an intention not to be bound was the basis for the final
> determination, as it legally is required to be.
> I hope this is helpful.
> It appears that my messages to the PKI list are bouncing, so if it is
> not too much trouble, would you mind posting this response to the list
> on my behalf?
> Thanks and best regards.
> > -------- Original Message --------
> > Subject: [pki-tc] The need for "Non-repudiation" [was: Why did secure
> > e-mail fail? ... ]
> > From: Stephen Wilson <swilson@lockstep.com.au>
> > Date: Sun, December 18, 2005 6:04 pm
> > To: pki-tc@lists.oasis-open.org
> > 
> > Hi John.
> > 
> > Thanks for the very interesting things you said about how legal cases are
> > decided.  Can I now change the subject once more?!  
> > 
> > John Messing wrote:
> > [snip] 
> > > One question is the goal of security.
> > [snip]
> > > I would think that one question could be how technology can contribute
> > > to raising the bar of security appropriately without simply inventing
> > > solutions as though there were nothing else already in place.
> > > 
> > > In this regard, I personally tend to favor pragmatism, and to eschew
> > > orthodoxy.
> > 
> > In this vein, may I ask your opinion of "non repudiation" in PKI land?  Was
> > it a techie's "solution" to a problem where other solutions were already in
> > place?  Does asserting (or not) the NR bit really add (subtract) special
> > powers to my signature?  
> > 
> > I always railed against the implied monopoly claimed by PKI vendors on 
> > "non-repudation".  The reality I think is that it can be very hard to
> > repudiate all sorts of conventionally secured transactions.  For instance,
> > what chance do I have of speciously denying a given Internet banking
> > transaction of mine on the grounds that my payment order was *not*
> > digitally signed and therefore *could have* originated from someone else? 
> > 
> > Cheers, 
> > 
> > Stephen.
> > 
> > 
> > Stephen Wilson
> > Lockstep Consulting Pty Ltd
> > www.lockstep.com.au
> > ABN 59 593 754 482
> > 
> > 11 Minnesota Ave
> > Five Dock NSW 2046
> > Australia
> > 
> > P +61 (0)414 488 851
> > 
> > --------------------
> > 
> > About Lockstep 
> > Lockstep was established in early 2004 by noted authentication expert
> > Stephen Wilson, to provide independent advice and analysis on cyber
> > security policy, strategy, risk management, and identity management. 
> > Lockstep is also developing unique new smartcard solutions to address
> > privacy and identity theft. 
> >  

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]