[Openid-specs-fapi] repudiating non-repudiation?

Anders Rundgren anders.rundgren.net at gmail.com
Wed Feb 2 15:26:42 UTC 2022 

I tried to "decipher" the ACME issue and AFAICT, signed data verified by a known public key is still considered safe.  In ACME they initially apparently only compared signature values which was a protocol bug.

Non-repudiation is an ancient term created to make digital signatures legally binding in the same way as "wet signatures".  Nowadays, we know that "proof" in legal contexts can be pretty variant.  BTW, you can always deny that you did this or that :)

Personally I prefer "secure" and "authentic" before non-repudiation.

Anders

On 2022-02-02 16:03, Brian Campbell via Openid-specs-fapi wrote:
> I believe those are considerations/concerns with non-repudiation, yeah.  But I think this was about the characteristics of signatures themselves not always providing the properties people assume/expect that they do.
> 
> 
> On Wed, Feb 2, 2022 at 7:04 AM Steinar Noem <steinar at udelt.no <mailto:steinar at udelt.no>> wrote:
> 
>     Yeah, for instance it depends on the identity proofing process that ties an identity to the certificate right?
>     Another thing to be aware of is that "non-repudiation" does not actually exist in a legal sense. Even qualified certificates are not "definitive evidence", or a "get out of jail for free" card..
> 
> 
>     ons. 2. feb. 2022 kl. 14:53 skrev Brian Campbell via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>>:
> 
>         "I think that you will find that most digital signature algorithms do not provide non-repudiation. It's a common myth." - said by someone much more knowledgeable than me in a recent discussion around the HTTP signatures work: https://github.com/httpwg/http-extensions/issues/1204#issuecomment-634377559 <https://github.com/httpwg/http-extensions/issues/1204#issuecomment-634377559>
> 
>         I honestly can't say I fully understand it or the implications. But it seemed relevant here given that non-repudiation is mentioned as a goal of FAPI 2.0 Advanced.
> 
> 
> 
> 
> 
> 
> 
>         /CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you./_______________________________________________
>         Openid-specs-fapi mailing list
>         Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>         https://lists.openid.net/mailman/listinfo/openid-specs-fapi <https://lists.openid.net/mailman/listinfo/openid-specs-fapi>
> 
> 
> 
>     -- 
>     Vennlig hilsen
> 
>     Steinar Noem
>     Partner Udelt AS
>     Systemutvikler
>     | steinar at udelt.no <mailto:steinar at udelt.no> | hei at udelt.no <mailto:hei at udelt.no>  | +47 955 21 620 | www.udelt.no <http://www.udelt.no/> |
> 
> 
> /CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you./
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list