W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: APOP - authentication..

From: Ted Hardie <hardie@merlot.arc.nasa.gov>
Date: Wed, 21 Feb 1996 11:59:09 -0800 (PST)
Message-Id: <199602211959.LAA20951@merlot.arc.nasa.gov>
To: Ned Freed <NED@innosoft.com>
Cc: pjc@trusted.com, paulle@microsoft.com, fielding@avron.ICS.UCI.EDU, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> 
> > Here are some requirements that I am asked to provide today...
> > 	That is I need auth that can be demonstrated in a court of law as
> > 	being "spoof proof"
> 
> > 	Can we do it?
> 
> Of course not. I am frankly appalled that you would even ask this question.
> 


Actually, it may not be as bad as you think.  Long, long ago, when I
was a tiny little programmer, I worked on a billing system for a law
firm.  Security, oddly enough, was a major part of the system.
Because the law sometimes allows one party to recover its legal costs
from the party it's suing, the courts have laid down a number of
principles about billing records, to keep the charges from being
inflated when such recovery takes place (after all, the party hiring
the lawyer probably wants to stick it to the other party, and might
well collude with the lawyer to do so).  The original methods the
courts set down for all of this had to do with paper records and
appropriate data archiving of those records; we had to adapt those to
a billing system that would be run electronically.

The principles were actually fairly easy to enforce, and would be even
easier today.  They asked for auditablity, proof of oversight, and
off-site archiving of all billing records.  (I understand that now
off-site archiving is waived if the records are stored on write-once
media.)  It required a little translation to fit the principles into
the systems we had available at the time, but it was very doable.

In other words, the legal requirements for this type of transaction
were established, were not onerous, and could be translated into the
electronic realm.  

To return the case being posed, the question as originally asked can't
really be answered, because you don't say what legal standard is going
to be applied.  If you know what legal standard is being applied (like
financial non-repudiability, or auditability, or whatever), figure out
what the requirements would be on any system, electronic, paper, or
in-person, then re-ask the question.  We may be able to do a better
job of pointing out the points of risk.  If the legal standard to be
applied is not established, you have a much bigger problem; you then
need to figure out what the strictest standard would be (or the union
of all standards, which ever is worse), and then meet that--or you risk
helping set the standard.

			Regards,
				Ted Hardie
			



Disclaimer:  I am not a lawyer, but I was raised by wolves.
Received on Wednesday, 21 February 1996 11:55:52 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:45 EDT