W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 1999

Signer Authentication

From: John Boyer <jboyer@uwi.com>
Date: Thu, 21 Oct 1999 10:23:07 -0700
To: "DSig Group" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBLAOMJKOFPMBCHJOIGELLCBAA.jboyer@uwi.com>
The question came up in today's telecon about what to call the property of
public key systems that the signer is identified by virtue of being the only
one (technically speaking) who could have created a signature since the
signature creation requires the individual's private key.

It was suggested that the term 'technical non-repudiation' be used.  I don't
have anything against the term, but the term being used by the ABA is signer
authentication. Using this latter term was refuted based on the fact that
non-public-key systems can perform signer authentication based on the trust
systems in place.

I don't understand why we must differentiate between signer authentication
performed by public key systems versus signer authentication performed by
other systems.  The reason I question this is that public key systems seem
to be no different from other systems with respect to the need for
establishing a trust mechanism.  Public key systems are only secure to the
extent that we trust the mechanism which delivers the public key to the
verification step.  This is the raison d'etre for PKIs and CAs.  Hence,
signer authentication requires the establishment of a trust system even for
public key systems.

Thanks,
John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company
Received on Thursday, 21 October 1999 13:22:58 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:08 GMT