RE: SSL and non-repudiation

Wed, 24 Nov 1999 17:45:05 -0800 

Another example is Netscape Form Signing 
(http://developer.netscape.com/tech/security/formsign/formsign.html).

-----Original Message-----
From:   [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
Sent:   Tuesday, 23 November, 1999 12:39
To:     [EMAIL PROTECTED]
Subject:        Re: SSL and non-repudiation

Yep,

You need something on the top of SSL to provide some kind of signature.  OBI is
designed to do just this, however I'm not sure you could call it lightweight as
it relies on X.12 EDI standards.  It's more aimed at the B2B community, after
all, the existing Credit Card schemes in the physical telephone-ordering world
for B2C doesn't have any non-repudiation of an order, unless they record the
phone call.

Cheers,
Paul

--
Paul Ford-Hutchinson : EMEA eCommerce application security :
[EMAIL PROTECTED]
OSU-1, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5YR +44 (0)1926 462005




Maurice klein Gebbinck wrote:
>
> Hi all,
>
> This weekend I read the SSL spec and I am wondering about the following.
> Suppose I am a the owner of an e-shop and I have a secure webserver. In
> order to make sure that all product orders I get are for real, I require
> that clients present a valid certificate during the SSL handshake.
> However, since after the handshake SSL switches to an encryption method
> based on symmetric keys (right?), it makes no sense to store the
> encrypted order of a client in a database, because the client can always
> argue that I made up the encrypted order myself (which I can since I
> know the symmetric key). The only thing the client cannot deny is that
> he has made a secure connection with my webserver, but apart from that
> nothing can be proven.
>
> Is this right, and if yes, is there a way within SSL (openssl) to
> provide non-repudiation?

It sounds right to me, and certainly SSL was not intended to provide
non-repudiation as a service. I'd say, therefore, that if you want
non-repudiation, you'd need to add it on top of SSL.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

application/ms-tnef

Reply via email to