Use of the phrase "non-repudiation"

Issue #401 resolved
Dave Tonge created an issue

We should better define what we mean by “non repudiation” in FAPI Advanced and the HTTP signing spec.

We ideally shouldn’t hint at providing any legal guarantees, but rather define the technical characteristics that the protocol will give and explain how they “could” be used in a legal context.

(from comment from the CDR workshop)

Comments (9)

  1. Steinar Noem

    I totally agree!

    We have had several cases tried in court in Norway that suggest that “accountability” isn’t guaranteed regardless of the LoA.

  2. Stuart Low

    I’ve got an issue with legal folk hijacking a term used by crypto folk for decades. I think it would be best to clearly state that non repudiation within the spec is strictly technical and not used in a legally binding way.

  3. Tom Jones

    Cryptographers quit using the concept of non-repudiation years ago. It is not measurable. What is tracked is spoofing, which is a better representation of what security tries to control.

  4. Steinar Noem

    Cool. Doesn’t Dave’s inital text pretty much cover the issue though?

    8< .. “explain how they could be used in a legal context” .. >8

    I think the main point is that non-rep material can serve as evidence in a court, but doesn’t guarantee accountability regardless of the LoA.

    I also think the same principle applies to how e.g. logs of other stuff happening in the OP/AS that could be relevant in a court are preserved as well..

  5. Log in to comment