To me a mechanism which allows recipient to voluntarily sign a read receipt
does
not provide non-repudiation of message receipt.
My understanding of the term "non-repudiation" is that it means that someone
who signed something cannot claim otherwise later on.
This is because the recipient
can receive the message but refuse to sign a receipt in return, in effect
falsly repudiating having received the message.
No. There is no repudiation in this case because no receipt was ever signed or
sent. You cannot attempt to repudiate an action that was never actually
performed. Repudiation occurs when someone sends a receipt and later claims
they never sent it. A properly signed receipt protects against this, and this
is the service I call "non-repudiation".
Of course, I agree with Kent
and others who have said that there are applications where a voluntary signed
receipt suffices (as in MSP).
I don't think your use of the term "non-repudiation" agrees with how it is
commonly used in this community.
It seems that you've completely missed my point. I understand about the
third
party's role here. My point is that since you cannot prove that B ever got E
from the third party, you have not proved that the message was in fact
received
by B. The third party can send the message to B once, twice, a million
times.
It can be shouted in the streets, placed in TV ads, whatever. The third
party
can publish E in every newspaper and on every email list. It doesn't matter.
Your point is understood. You are talking about a denial of service attack
against Bob.
This isn't what I'm talking about at all. I'm talking about an attack carried
out *by* B, not an attack *on* B.
One which has clearly been spelled out in our paper
(assumptions III, page 4).
This section talks about your assumption that deliveries are performed in
bounded time and no service denial attacks are possible. This would be relevant
if I was talking about an attack carried out on B, but I'm not.
Regardless, for time-sensitive material, you
have a valid concern.
Actually, I had not considered the possibility of a service denial attack on B
in the case of time-sensitive material at all. Its another interesting case.
One can add your scenerio, where B really does not receive E, to the above.
This is not my scenario. I'm talking about the case where B receives E but
claims he did not. This is effectively the same as claiming not to have
received M, since EM by itself is worthless and so is any receipt signed
indicating that only EM was received. And you cannot prove otherwise with your
protocol. Since the entire point here is to prevent B from claiming that he
never received M, this seems like a big problem to me.
In defense, I can say, a receipt is only as good as the legal system behind it
which enforces it. That legal system should take care of the semantics. I am
not trying to postpone the problem. If only Alice and Bob existed in the
world,
it makes no sense for Alice to ask for a receipt. She does ask for it,
because
she can later use it to prove that Bob received her message.
No she cannot, and this is why there is a problem.
If Bob never got
E, when Alice goes to Judge Lansing (is that O.J.'s judge?), Bob will be given
E in front of Lansing. If Bob believes he is failing to get E from the
trusted
party, he would probably be wise enough to write a letter to an on-line judge
saying that as of such and such, he tried x times and failed to get E from TP.
He will ask for TP's signature. If your network is down, pickup the phone...
In anycase, Bob must protect himself by an out-of-band mechanism if his
network
is permanently down. At the end, both parties bring all relevant information
to a court of law where the lawyers get rich setteling the dispute. That's
life!
I am not claiming that my protocol solves denial-of-service. You cannot
convince
me, however, that not doing so "blows CEM out of the water". :-)
Nor am I. Service denial attacks are very hard to deal with -- they basically
require that you make some assumptions that the parties you are dealing
with (or their agents) aren't totally stupid.
But again, this is not the problem I'm describing. I'm talking about the case
where B receives E but claims he did not. You cannot prove he did since the
protocol does not demand a signed receipt for E, and short of writing in an
absolute requirement that B must exhaust every reasonable avenue for obtaining
E before claiming it wasn't received, this provides B with a way to obtain M
without A being able to prove he did. I don't think such a requirement is at
all reasonable, and I suspect a court would agree with me, which is why I don't
think your protocol provides the service it claims to.
Ned