[EMAIL PROTECTED] wrote:
>>Suppose someone refutes that they have sent information to a Web site
>>owner, how is the Web site owner to prove that the information was in
>>fact received and that it was signed with a given key?
>>
>>To do this, the Web site owner would presumably need to be
>>able to produce
>>the still-encrypted post as sent by the user, but from a
>>quickish reading
>>of the mod_ssl reference, I don't see any way to log this information.
>>
>>Andrew McNaughton
>
> Provided you know the time of the transaction, the web server logs will give
> you details of the IP address all the web transactions are coming from. You
> can find who owns this IP address via the Ripe (www.ripe.net), Arin
> (www.arin.net) or Apnic (www.apnic.net) websites.
>
> From this you can find which ISP this address belongs to, and that ISP can
> verify who was using that IP address at the time. How much assistance you
> receive from each ISP will vary.
>
> That may give you sufficient information to press a case against the person
> who alleges they didn't access your website, but IANAL.
John, unfortunately IP hijacking is so trivial (see threads on bugtrack) that
this method will not work with reasonable certainty.
> I'm not sure what you mean about information being signed with a given key.
> Do you mean a personal key like a digital signature, or do you mean the SSL
> key?
The Andrew is right. Repudiation or rather non-repudiation
can be achieved with public-private<->private public encryption.
Owen is right SSL/HTTPS doesn't support that in itself. Here is how
public-private auth/encoding should work:
Message = M
Transmitted = T
Public Key = pub
Private Key = priv
Transmision of Message M: M->T--transmit-->T->M
pub-priv enc works like T = enc(pub, M) <=> M = dec(priv, T)
T = enc(priv, M) <=> M = dec(pub, T)
Non repudiation: send T = enc(priv_sender, enc(pub_receiver, M))
receive M = dec(pub_sender, dec(priv_receiver, T))
Of course this is simplifed, but holds the principle.
With HTTPS, the only way to authenticate for sure the message
sender, is with the sender's cert (CLIENT CERT). If you log that
auth, then you know for sure who came to the site. For that, you
need to restrict that part of the site to auth with client certs.
The astute reader noticed that all this digital signature shebang
works only if solely the owner uses his cert.
Hope this helps.
Cheers,
Balázs
-----------------------------------------------------
Balázs Nagy TheNewPush, LLC
Managing Partner tel. +1-303-523-5729
Research & Development fax. +1-720-294-0933
=======>Internet Infrastructure and Presence Provider
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
