- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Wed, 06 Oct 1999 08:53:13 -0400
- To: w3c-ietf-xmldsig@w3.org
Well, other people think it very important to distinguish the security model provided by, for example, public key versus keyed hash. One difference in these models is normally called non-repudiation and in technical documents such as this, that refers to the fact that you either need the private key or need to have broken the cryptography to forge a signture. Having small glossary at the end of the document and defining the term is fine. But if you want it replaced, I think you should provide a single word substitute that people could agreee on as a replacement. Saying '"non-repudiation" is actually a marketing term!' doesn't persuade me since marketers use and screw up essentially every word in the language. Donald From: "Chris Smithies" <Chris_Smithies@penop.com> Resent-Date: Wed, 6 Oct 1999 08:27:14 -0400 (EDT) Resent-Message-Id: <199910061227.IAA12816@www19.w3.org> X-Lotus-FromDomain: PENOP To: w3c-ietf-xmldsig@w3.org Message-ID: <85256802.0044BD01.00@penop.com> Date: Wed, 6 Oct 1999 13:35:15 +0100 >I would strongly recommend that the term "non-repudiation" and its >derivatives not appear in the draft. From a legal perspective it is seen as >a hollow boast. The only thing that can't be _denied_ is that if a hash can >be decrypted by K1, then it was encrypted by K2. But even allowing that the >surrounding system is completely secure in all respects, it remains >possible for the "appropriate user" of K2 to _repudiate_ a signature >demonstrably signed by K2. Duress... mistake... deception... >"non-repudiation" is actually a marketing term!
Received on Wednesday, 6 October 1999 08:53:17 UTC