From owner-mcg-talk Thu Jun 25 22:06:34 1998 Received: (from majordom@localhost) by localhost (8.8.7/8.8.7) id VAA15023 for mcg-talk-outgoing; Thu, 25 Jun 1998 21:11:48 -0300 Message-Id: <199806260011.VAA15023@localhost> Date: Thu, 25 Jun 1998 21:11:40 -0300 (EST) From: "416720" To: MCG Subject: [MCG] Cerimony and non-repudiation in e-commerce Sender: owner-mcg-talk@mcwg.org Status: RO X-Status: A former posting discussed how passive certs can allow e-commerce deals to outlive the certificates used to sign them. That could be called syntactic non-repudiation. NOTE: That was a syntactic issue -- How can I affirm for 5-35 years that signature S can be verified by cert C? The answer was to use a passive cert, under proper and simple arrangements, and one can affirm it as long as public-key cryptography is mathematically sound. Its security does not depend on operational factors. Thus, the signature is non-repudiable for a long period of time, but syntactically. It could still have resulted from a "Radar O'Reilly attack", a perfunctory and mindless signature, the result of pressing the wrong button, etc. -- as these would depend on semantics. Which means that the signature effects can be legally questioned, rather easily, even though the signature itself cannot. This posting deals now with a more envolved application of passive digital signatures (ie, passive certificates). Here, we face the semantic issue and enquire whether digital signatures can certify a perfect legal act and, thus, be non-repudiable in its effects in a fair and legal way for a long time. To motivate the issue, suppose we ask: -- Can legislation make digital signatures binding and incapable of repudiation? to which, currently, the answer is: -- Yes, but only in cases where they were really made by the purported signatory and with the purported intent. Clearly, the above answer is not very helpful. The conditions under which that requirement can be met are quite difficult to achieve and prove -- especially on the Internet. Until now, IMO. To show that, I divide the issue in three cases, A, B, C. A: how can I provide for semantic non-repudiation? --------------------------------------------------- What I have in mind is possible with passive certs, or zombie certs. Here, by signing the document and then by willfully destroying the private-key at the final part of a deal, turning an active cert into a passive cert, the signer declares the deal done and closed -- no further signing is possible. Of course, this final act constitutes a well-defined one-time act that only the signer can do. Further, the other party can atest to the signature, with the signed document. Still, these steps must be well-defined in a suitable protocol, which involves key-challenge and other considerations, but the objective is clear: the willfull destruction by the signer of his own private-key is the physical proof of a ceremony which cannot be performed by the other party. This provides a solution to Ben Wright's concern -- how to cope with the legal need for a cerimony, to help make a digital signature legally valid and non-repudiable. Which was missing in digital signatures so far. However, the original document can still be fully verified -- even very safely because it cannot be forged. And, its public-key cert can live a long time... without any need for a CRL. It is interesting to note that the cerimony's physical proof depends on trust, which can be unary-trust or binary-trust, with different results: (a) Unary-trust: If nobody other than the signer can verify that the signer has followed a secure destruction sequence (has used secure deletion methods, did not leave a copy in a swapfile, is not using a computer in which a bug has been planted or which has suffered from a virus which leaks keys, etc.), this implies that the signer cannot repudiate a signature on key compromise grounds or deny full responsibility for it, and must accept any compromise risk there may be. For example, if the signer covertly decides not to destruct the private-key, anything signed by that key is in violation of the signer's terms in the original document and cannot be used to repudiate or change the original document. (b) Binary-trust: if the other party can verify that the signer has followed a secure destruction sequence (as a function of risk and reach -- eg, suppose that both parties witness the key generation, the document signature and the subsequent physical destruction of the computer under a 3 Ton press...) then both parties can trust to some extent that the key was destroyed and, in that case, both parties may share the risks. Or, as disclaimed by the original document, the signer may exempt himself of any assumed risk and that would be a condition for the document to be valid -- which would be fair inasmuch as the other party can also trust the signer's secure destruction sequence and the signer's acts during its execution. Thus, engineering can provide some reliable tools that legislation may need to answer case A: 1. cerimony with signature and an intentional one-time act at the end 2. proof of cerimony by irreversible effects: key destruction 3. (a) signer cannot deny full responsibility for key destruction 4. (b) signer can deny or share responsibility for key destruction 5. long-lived passive cert for signature verification 6. signature forgery does not depend on operational factors 7. absence of technical need for revocation of passive cert 8. possible timestamping by nonce signing before key destruction and others, where the above eight factors are crucial for a legal defense of non-repudiation. Law has to be based on reliable final facts, accessible to all. Engineering can provide that, as passive certs show how acts CAN be made reliably final. Of course, proper protocol (such as the MCS in development by the MCG) is needed for technical assurance, especially under attacks such as "Radar O'Reilly", MITM, etc. B. And yet, how can we make repudiation possible, when needed? -------------------------------------------------------------- For active certs, I take the stance that it is not possible to provide non-repudiation. One cannot deal with the requirements of "Yes, but only in cases where they were really made by the purported signatory and with the purported intent" (as given at the top of this message). For example, the scenario "grandma chooses a weak passphrase and loses her house", the absence of an actual certificate revocation procedure (CRLs are just a will to revoke), the short lifetime of active certificates, etc. In general, legal action is not able to show beyond reasonable doubt whether there was indeed intent to sign and whether there was no operational fraud or fault unbeknownst to the signer. As a case in UK showed: His Honour Justice Mr. John Turner, sitting with two assessors, said that `when a case turns on computers or similar equipment then, as a matter of common justice, the defence must have access to test and see whether there is anything making the computers fallible'. In the absence of such access, the court would not allow any evidence emanating from computers. which evidence is either always lacking (eg, can we really get the full Internet traffic logs for that time and place?) or easy to forge. It is also easy to prove that it can be forged, hence -- it is useless. Thus, by not deleting its private-key and by keeping the signature certificate active, the signer signals that the deal is repudiable. There was no cerimony to the contrary, as above, and legislation cannot allow it to be non-repudiable. C. How can that be compared with handwritten signatures? -------------------------------------------------------- (Thanks to Nicholas Bohm for some of the next dialogue and remarks) If the law recognises a digital signature as a signature, then the law must release the signer from his obligations in the same cases as the law now releases the signer -- signature under the threat of unlawful force being just one example. The law is not uniform in the case of a forged handwritten signature (assuming that it is a very good forgery but can be proved to be a forgery). In the UK, certainly for cheques and probably for other documents, a forgery is not binding on the person whose signature is forged. In some jurisdictions, if a bank is deceived by a forgery despite using care, the risk falls on the customer, not the bank. Regarding forged digital signatures, if the verifier is required by law to conduct some special procedures, such as a search in the world's CRLs, and he carelessly fails to do it correctly, then the failure to detect forgery is caused by his failure. This can easily lead to difficult issues. For example, some may think that the law, in the light of engineering, must provide a means for allocating the risk between innocent grandma (who despite taking reasonable care, reasonable for a grandma, did not know her private key had been compromised, so did not revoke the public key) and innocent lender who carefully checked for revocation before relying on an unrevoked key to sign a loan and mortgage. However, my paragraphs above show that such is neither possible nor necessary -- once we correctly consider the difference between passive and active certificates. If grandma or the lender use a passive certificate procedure, intently deleting their private-key after signature and thus accepting a non-revocable protocol, then they are responsible according to their intent as expressed in the signed document. If not, if grandma or the lender just signed the document but neither mentioned in the document nor actually did destroy their private-keys (as can be proved by challenge-response) then the document is repudiable. While this solves the (impossible) issue of distinguishing between a fraudulent grandma and a sleepy lender, it still leaves open the question of risk sharing. For example, if I give a merchant my credit card number by telephone, he takes the risk. Thus, I may not be too keen to move to a system where I take the risk instead. This was discussed in cases A.a and A.b, with the differences between unary-trust and binary-trust. Thus, if the signer so accepts, passive certificates make it is possible to accomodate any degree of risk sharing between the parties. As final comments, regarding non-repudiation: 1. both cases, A and B, are useful: to guarantee that some kinds of signature are revocable and to provide ways to make other kinds of signature non-revocable. 2. non-revocable signatures need to be passive, which -- undoubtably -- requires the full alert cooperation of the signer to be effective. This can provide for a cerimony and its trail, under control by a proper protocol. Cheers, Ed Gerck ______________________________________________________________________ Dr.rer.nat. E. Gerck egerck@novaware.cps.softex.br http://novaware.cps.softex.br --- Meta-Certificate Group member, http://www.mcwg.org ---