At 11:40 AM 2/9/95, Michael D. Bridges wrote:
Keywords: PEM, EDI, Secure Email
. . .
PEM appears to account for message integrity, originator
authentication and possibly confidentiality. However
there seems to be no PEM cability to deal with nonrepudiation.
"nonrepudiation" looks to be a method that ensures
the submission of binding proposal (such as a bid)
by a vendor/trading partner cannot be denied.
. . .
There appears to be nothing like this in PEM.
Is this correct?
---------------------
Michael,
That is *not* correct. In particular, the supported services include "(if
asymmetric key management is used) non-repudiation of origin". See
attached excerpts:
Regards, -Rob- Robert W. Shirey SHIREY(_at_)MITRE(_dot_)ORG
tel 703.883.7210, sec 703.883.5749, fax 703.883.1397
Info. Security Div., The MITRE Corp., Mail Stop Z231
7525 Colshire Drive, McLean, Virginia 22102-3481 USA
---------------------
Network Working Group J. Linn
Request for Comments: 1421 IAB IRTF PSRG, IETF PEM WG
Obsoletes: 1113 February 1993
Privacy Enhancement for Internet Electronic Mail:
Part I: Message Encryption and Authentication Procedures
. . .
1. Executive Summary
. . .
Privacy enhancement services (confidentiality, authentication,
message integrity assurance, and non-repudiation of origin) are
offered through the use of end-to-end cryptography between originator
and recipient processes at or above the User Agent level.
. . .
3. Services, Constraints, and Implications
. . .
If an originator elects to perform PEM processing on an outbound
message, all PEM-provided security services are applied to the PEM
message's body in its entirety; selective application to portions of
a PEM message is not supported. Authentication, integrity, and (when
asymmetric key management is employed) non-repudiation of origin
services are applied to all PEM messages; confidentiality services
are optionally selectable.
. . .
Based on these principles, the following facilities are provided:
1. disclosure protection,
2. originator authenticity,
3. message integrity measures, and
4. (if asymmetric key management is used) non-repudiation of
origin,
but the following privacy-relevant concerns are not addressed:
1. access control,
2. traffic flow confidentiality,
3. address list accuracy,
4. routing control,
5. issues relating to the casual serial reuse of PCs by
multiple users,
6. assurance of message receipt and non-deniability of receipt,
7. automatic association of acknowledgments with the messages
to which they refer, and
8. message duplicate detection, replay prevention, or other
stream-oriented services