-----Original Message-----
From: Carl Ellison [mailto:cme(_at_)acm(_dot_)org]
At 06:02 PM 2/5/99 -0600, Black Unicorn wrote:
Not a bad idea, maybe, if there were no requirement for
non-repudiation by
the receiving party. (And if there isn't, then what's the point of this
solution?)
Sorry, but you hit one of my buttons.
What do you (or does anyone else) mean by non-repudiation?
I avoided getting into picking one of the 20 kinds of non-repudiation
because non-repudiation is a process, not an event.
It's moot anyhow as I quite directly defined what I was looking for.
Specifically:
"Take the example of a brokerage which needs to incontrovertibly prove a
client (or a client's key) ordered a given transaction."
To me, it means that I can take you into a courtroom and prove, somehow,
that you signed the digitally signed message I hold in the floppy
in my hand.
To digress:
In your context that can't be proven even if you have witnesses to the act
and a tape recording. (Witnesses are notoriously unreliable. The tape was
out of context, or has been modified).
There are always arguments against certain facts. If "truth" was really
accessible we wouldn't need the judicial process. The point is to give one
enough evidence to be persuasive of the truth, not to establish it.
That means that the mechanisms we have set up defeat all your attempts to
defend yourself against that accusation. That is, you are unable to
repudiate the signature because of the mechanism we have established.
Tell me how I can prove otherwise when you claim:
1. my private key was on my computer, but I didn't sign that
message. I
never saw that message. It is quite possible that someone else found my
computer logged in while I was in the bathroom and signed that
message with
my computer. Therefore, you need to track down and bring in that
other person.
"But the agreement you signed with the brokerage waives the brokerage's
liability for transactions where your keys are used."
This is, in fact, being done today with e.g., passwords and faxes.
Historically this kind of risk allocation has been done with checks as well.
If the signature is actually forged and the bank still cashes the check,
they are liable. If it is not forged (the client put it on a blank check
which was then lost) then the client eats it. I think this is unacceptable.
This is impossible to do given the lack of functionality I have pointed out.
"But you seem to have failed to follow the brokerage's password policy,
which absolves the brokerage of liability." (Like leaving your keys in the
car).
Can't even get to this point if you can't establish that the signature was
at least made from the client's key.
2. I was at my computer when that message was allegedly
signed, but I never
saw it and never signed it. I did try to sign some other message -- even
put my thumb to the thumbprint reader to release the signing key
-- but that
signature attempt failed, so I had to do it again. There could
have been a
virus on my machine that used my unlocking of the private key to sign the
message in question.
"But the agreement you signed with the brokerage waives the brokerage's
liability for transactions where your keys are used."
etc.
Yes, etc.
--------------------------------------------------
This is just the start of possible defenses. After I made a list
of them a
little longer than this, I came to the simplifying conclusion
that we should
never use the term "non-repudiation" and should, in fact,
strongly reprimand
anyone who tries to.
I concede that non-repudiation and its definition are issues but this is
more than a bit defeatist. The excuse that "non-repudiation is too
non-defined for us to try and accommodate any functionality that approaches
it" is just silly.
I could apply this approach to encryption. "Why bother to encrypt? I have
no idea who's at the other end. Anyone could be a man in the middle for my
friend. They could sniff it with a Trojan horse on his computer. They
could put a video camera in his ceiling and watch his screen, or his
keyboard." This is effectively the approach you are taking.
My point is that the brokerage does not now have the tools to even provide
evidence of the signature in the first place, which- in fact- makes use of
the signature pointless as it provides not even the slightest advance in
non-repudiation. Might as well just keep taking passwords or use
handwriting analysis.
If you want this software to be utilized in places where it counts, which is
of course why we are in this game, or should be, then you have to improve
the product/protocol, not try to explain why functionality that is
needed/useful doesn't exist.
- Carl
Mr. Geiger points out that this functionality, or lack thereof, is not a
consequence of the OpenPGP data structure itself. Insofar as that is so
this discussion is probably out of place anyhow.