- From: Krishna Sankar <ksankar@cisco.com>
- Date: Sun, 19 May 2002 18:09:50 -0700
- To: <www-ws-arch@w3.org>
- Message-ID: <000001c1ff9b$0f64e9d0$15d3fea9@amer.cisco.com>
Roger, What you are articulating is auditing and I think it is in scope of security. But auditing to support (legal) non-repudiation is not. Also auditing for IDS purposes is also in scope of security. cheers -----Original Message----- From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org] On Behalf Of Cutler, Roger (RogerCutler) Sent: Saturday, May 18, 2002 8:54 AM To: www-ws-arch@w3.org Subject: Non-Repudiation - A Lower Level? The last con call had some discussion of non-repudiation in which Joe emphasized that non-repudiation is about convincing a third party that something happened involving the two direct participants in a transaction, and others talked about the legal aspects -- such as problems guaranteeing legal validity over a seven year period in the face of evolving technology. And a rather complete discussion of non-repudiation has been posted but for some reason I don't seem to be able to find it at the moment. (Sigh.) I would like to suggest a different understanding of non-repudiation that I think is useful in a lot of business cases. In fact, beyond "useful" to "crucial". Perhaps it is confusing to call it the same thing, but I don't know what else to name it. Quoting from the EDI-like usage case I am drafting, Non-Repudiation is of particular importance, although in practical terms less in terms of a legal process than simply the ability to say, "You got this invoice on March 24, and here is your signed confirmation of receipt". That is, by far the most common scenarios that require non-repudiation involve people in both companies trying, in good faith, to sort out what has gone wrong in some screwed up transaction. What is required in these cases is an unambiguous record, not rock-solid legal proof. Taking these issues to court is a very rare occurrence given an ongoing trading relationship between businesses. I believe that it is fair to say that in practical, EDI-like transactions this sort of "unambiguos record" doesn't just satisfy the 80-20 but more like the 99.9. There is NO WAY that any technology or standards are going to prevent screwups and confusion in business transactions, which in practice happen all the time. "You didn't pay us." "Yes we did." Or "We ordered this but didn't receive it." There are a bazilion things that can go wrong which have nothing whatsoever to do with the web services or business protocols, and have nothing to do with anybody taking anything to court. Now one might well say, "Well, if one satisfies the more rigorous, legally motivated requirements of non-repudiation, one also satisfies this lower level requirement". That's OK, but what I am concerned about is that the higher level of non-repudiation may be difficult to achieve. I believe that there is a genuine and immediate need for the sort of non-repudiation described above, and perhaps it could be useful to get quickly to such an understanding. Or am I perhaps talking about what some people are calling "auditing"? I'm afraid I have not been entirely clear what people have meant by that. Am I really asking for clarification of terminology rather than a different understanding of requirements?
Received on Sunday, 19 May 2002 21:10:45 UTC