> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Maurice klein
> Gebbinck
> Sent: Monday, November 22, 1999 12:20 PM
> To: [EMAIL PROTECTED]
> Subject: SSL and non-repudiation
>
>
> Hi all,
>
> This weekend I read the SSL spec and I am wondering about the following.
> Suppose I am a the owner of an e-shop and I have a secure webserver. In
> order to make sure that all product orders I get are for real, I require
> that clients present a valid certificate during the SSL handshake.
> However, since after the handshake SSL switches to an encryption method
> based on symmetric keys (right?), it makes no sense to store the
> encrypted order of a client in a database, because the client can always
> argue that I made up the encrypted order myself (which I can since I
> know the symmetric key). The only thing the client cannot deny is that
> he has made a secure connection with my webserver, but apart from that
> nothing can be proven.
>
> Is this right, and if yes, is there a way within SSL (openssl) to
> provide non-repudiation?
In the real world no! SSL and TLS is a kind of transport layer
security. Non-repudiation needs application specific mechanisms.
Regrads Rene
--
-----------------------------------------------------------
Rene G. Eberhard
Mail : [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
