[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] EPM use cases: some questions and one requeriment.
Hi Ed, inline, some questions we can discuss on the call - At 12:28 AM 6/26/2003 -0400, Edward Shallow wrote: >-----Original Message----- >From: Trevor Perrin [mailto:trevp@trevp.net] >Sent: June 25, 2003 2:01 PM >To: Gray Steve; dss@lists.oasis-open.org >Cc: Ed Shallow (E-mail) > >Thanks, > >My questions that remain, which we can discuss in email or at the concall: > >What is the point of the sender acquiring a "postmark" on his document? ><ed> >In short, non-repudiation of origin (ref. ISO/IEC 13888-1-2-3). Regardless >of which legal position or non-repudiation model one subscribes to, the >re-production of evidence by Trusted Third Parties of these elements of >non-repudiation are crucial. In fact much of the motivation behind >deployment of trusted computing systems is the pursuit of this >trustworthiness. IMHO to de-scope these subjects from the domain of a public >protocol which professes to address digital signature creation and >verification would result in a non-achievement. > >Refs: >ETSI 101-733 and 101-903 OASIS CoverPages, Abstract and Links >http://xml.coverpages.org/ni2002-04-24-a.html >Non-Repudiation in the Digital Environment, McCullagh and Caelli >http://www.firstmonday.dk/issues/issue5_8/mccullagh/#note13 >"UNCITRAL Model Law on Electronic Commerce with Guide to Enactment" Article >13, at http://www.un.or.at/uncitral/texts/electcom/ml-ec.html >American Bar Association Guidelines for Digital Signatures," at >http://www.abanet.org/scitech/ec/isc/dsgfree.html ></ed> I think you're arguing that "re-production of evidence by Trusted Third Parties of [...] elements of non-repudiation are crucial" to verifying digital signatures. I thought the point of digital signatures, and certificates, and time-stamps, is that Alice can create a time-stamped signature, and Bob can verify it, and if there's a dispute Judge Judy can verify it, but there's no need for a TTP to store something for every signature. I only skimmed through the references, but they seemed to support this: According to the ABA reference, - section 5.1 - "A message bearing a digital signature verified by the public key listed in a valid certificate is as valid, effective, and enforceable as if the message had been written on paper." - section 5.2 - "Where a rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is satisfied by a digital signature which is (1) affixed by the signer with the intent of signing the message, and (2) verified by reference to the public key listed in a valid certificate." According to ISO/IEC 13888-3, - section 8.1 - "An NRO token is used to provide protection against the originator's false denial of having originated the message. The NRO token is generated by the originator A of the message m (or authority C), sent by A to the recipient B, [and] stored by the recipient B after verification." The definitions that follow make it clear that such a non-repudiation-of-origin-token is basically just the signer's public-key signature on a message. This document also mentions possible roles for 3rd parties such as CAs and TSAs, and "Notary Authorities" (similar to a DSS signing service) and "Evidence Recording Authorities". But the last two are in an informative annex (as opposed to normative, I guess), and there's no mention of them being required for verifying signatures. >To whom is this postmark meaningful, and what does it mean? > ><ed> >In certain scenarios and/or jurisdictions the onus of proof in the event of >a legal challenge on the alleged signing of a document may rest with the >signator. In such cases and scenarios, a receipt of non-repudiation of >origin (what we innocently label the PostMark) would be valuable and worth >paying for.[...] ></ed> I'm not sure what you mean by "receipt of non-repudiation of origin", but it sounds like a non-repudiation of origin token per ISO/IEC 13888-3, in which case I would think the the signer's time-stamped signature is sufficient. >According to A11, "The main purpose of the EPM is to provide a >non-repudiation service that attests Who, What, Why, When a document was >signed, plus the archival service". Isn't this provided by a normal, >time-stamped digital signature? > ><ed> >No, it does not. Validity, integrity, and trustworthiness are still very >much in doubt and inadmissable in nearly all jurisdictions. ></ed> Could you give some examples? I'm not aware of digital signature laws that require a TTP to create a "receipt of non-repudiation of origin" for each signature, or to archive each signature. Though I don't know much about these laws in general. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]