OBO John Messing fwd: RE: [pki-tc] The need for "Non-repudiation" [was: Why did secure e-mail fail? ...

[Stephen Wilson <swilson@lockstep.com.au>]

This is forwarded on behalf of John Messing, who reports trouble posting to
the list. 

And John, many thanks again from me, very helpful stuff. 

Stephen Wilson.

    
Forwarded Message:
--
From:    John Messing
To:      Stephen Wilson <swilson@lockstep.com.au>
Subject: RE: [pki-tc] The need for "Non-repudiation" [was: Why did secure
e-mail fail? ...
Date:    Dec 19, 2005
--

> In a very short answer, no. Non-repudiation is not a legal term. As a
> fellow technologist lawyer once aptly commented to the ABA Information
> Security list, "if the issue of non-repudiation is on the table,
> repudiation has already occurred." (I paraphrase the exact wording).
> 
> Non-repudiation is a PKI term that has trickled into certain non-US
> legal systems, largely through tireless efforts of certain Verisign
> lawyers to get agreement to its vision of a PKI world as expressed in
> its certificate practice statement in an international setting in the
> 1990's. The US legal system is not one of those which recognizes the
> term at all. The NR bit has no legal status as such. It could be one
> piece of evidence for a court to consider whether a person logically
> associated his or her identity with an intent to be bound, though the
> introduction into evidence of the NR bit or its absence would depend
> upon human expert testimony in order to explain to judges and other
> non-technical persons how it works, and the result would not be
> automatically considered or weighed.
> 
> The assumption that a judge would accept the NR bit as a boolean
> assertion with nothing else needed to resolve a dispute over the
> binding effect of a digital signature affixed by a person is a
> technogist''s vision that ignores the basic workings of the legal
> system.
> 
> I personally think of electronic signatures as legal/technical beasts.
> 
> I see three different dimensions or planes. First there is the physical
> world. The second is the moral/legal realm. The third is the digital
> world.
> 
> A signature has its genesis in human intention and is a moral
> declaration to stand behind a representation of certain facts as true,
> or to commit to do something in the future, as a promise. The intention
> is expressed through a symbolic act. In the physical world, one affixes
> one's autograph with the intent to be bound in order to achieve a
> legally recognized signature. (There are other dimensions to legally
> binding obligations, but I am focusing only on the signature aspect
> now).
> 
> In the electronic world, in the United States under the State-based
> Uniform Electronic Transactions Act (UETA), the parties can determine
> the method of signing either by implication or expressly, within
> certain restrictions that are imposed by the federal Esign legislation
> for obligations that cross state lines or international borders. If we
> exchange emails as private parties about a transaction and we can be
> said to have intended to be bound by the emails to specific
> obligations, then there is likely a binding legal contract based solely
> upon the use of the email addresses as the chosen method of signing, but
> it is primarily a question of how our intentions can be divined by a
> court after the fact based upon our actions as objectively viewed using
> the standard of how they appear to a reasonable person.
> 
> Bits and bytes have very little to do with the determination, unless
> they can help further the moral/legal inquiry. So far, there is no
> reported attempt to employ the NR bit to do so in any reported US
> appellate cases at the state or federal level.
> 
> There was a federal bankruptcy case where a person was allowed to
> disavow an electronic signature, but that was based upon a perceived
> failure of certain telephonic communications between the alleged signer
> and a remote individual who was supposed to affix the signature by
> proxy, and so an intention not to be bound was the basis for the final
> determination, as it legally is required to be.
> 
> I hope this is helpful.
> 
> It appears that my messages to the PKI list are bouncing, so if it is
> not too much trouble, would you mind posting this response to the list
> on my behalf?
> 
> Thanks and best regards.
> 
> > -------- Original Message --------
> > Subject: [pki-tc] The need for "Non-repudiation" [was: Why did secure
> > e-mail fail? ... ]
> > From: Stephen Wilson <swilson@lockstep.com.au>
> > Date: Sun, December 18, 2005 6:04 pm
> > To: pki-tc@lists.oasis-open.org
> > 
> > Hi John.
> > 
> > Thanks for the very interesting things you said about how legal cases are
> > decided.  Can I now change the subject once more?!  
> > 
> > John Messing wrote:
> > [snip] 
> > > One question is the goal of security.
> > [snip]
> > > I would think that one question could be how technology can contribute
> > > to raising the bar of security appropriately without simply inventing
> > > solutions as though there were nothing else already in place.
> > > 
> > > In this regard, I personally tend to favor pragmatism, and to eschew
> > > orthodoxy.
> > 
> > In this vein, may I ask your opinion of "non repudiation" in PKI land?  Was
> > it a techie's "solution" to a problem where other solutions were already in
> > place?  Does asserting (or not) the NR bit really add (subtract) special
> > powers to my signature?  
> > 
> > I always railed against the implied monopoly claimed by PKI vendors on 
> > "non-repudation".  The reality I think is that it can be very hard to
> > repudiate all sorts of conventionally secured transactions.  For instance,
> > what chance do I have of speciously denying a given Internet banking
> > transaction of mine on the grounds that my payment order was *not*
> > digitally signed and therefore *could have* originated from someone else? 
> > 
> > Cheers, 
> > 
> > Stephen.
> > 
> > 
> > Stephen Wilson
> > Lockstep Consulting Pty Ltd
> > www.lockstep.com.au
> > ABN 59 593 754 482
> > 
> > 11 Minnesota Ave
> > Five Dock NSW 2046
> > Australia
> > 
> > P +61 (0)414 488 851
> > 
> > --------------------
> > 
> > About Lockstep 
> > Lockstep was established in early 2004 by noted authentication expert
> > Stephen Wilson, to provide independent advice and analysis on cyber
> > security policy, strategy, risk management, and identity management. 
> > Lockstep is also developing unique new smartcard solutions to address
> > privacy and identity theft. 
> >