From: Robert Hettinga <rah@shipwright.com>
Date: Wed, 13 Nov 1996 08:43:39 -0800 (PST)
To: cypherpunks@toad.com
Subject: RE: Question on non-repudiation
Message-ID: <v0300784daeafaa7128a9@[206.119.69.46]>
MIME-Version: 1.0
Content-Type: text/plain



--- begin forwarded text


Date: Wed, 13 Nov 1996 04:11:08 -0500 (EST)
X-Sender: field@pop.pipeline.com
Mime-Version: 1.0
To: John Lowry <jlowry@BBN.COM>
From: "Richard L. Field" <field@pipeline.com>
Subject: RE: Question on non-repudiation
Cc: set-discuss@commerce.net
Sender: owner-set-talk@commerce.NET
Precedence: bulk

+----------------------------------------------------+
Addressed to: set-discuss@commerce.net
+----------------------------------------------------+

   As chair of the ABA's Electronic Commerce Payment Committee and a member
of the drafting team for its Digital Signature Guidelines, I suppose I am
one of the people expected to "solve" the non-repudiation problem through
legal means.

   Notwithstanding any technical or procedural proofs, there is no absolute
non-repudiation, as a legal matter, unless a statute is enacted to that
effect.  For consumers in the U.S., there is no indication that this will
happen.  The applicable laws governing credit cards and the consumer use of
debit cards specify that the customer can repudiate any unauthorized
transaction, and that it is left to his bank/issuer to prove that the
transaction was actually performed by that customer or under his authority.
Even if technical means are used to ensure that the customer will always
retain solitary access control to the account (by biometric means, for
example), he can still claim coercion, error with respect to legal capacity,
etc.  Where software-based keys are used to confirm identity and/or
authority to enter into a transaction, there are additional risks of error
or fraud associated with initially obtaining a key and tying it to an
identity, as well as the ongoing association between the key and the
identity and/or authority.

   In these cases some third party ("trusted" CA, etc.) could step in and
contractually agree to bear all risk of customer repudiation, but given the
relatively low value of the average transaction that would be unlikely.
Additionally, in some countries laws may shift the risk of loss absolutely
to the customer or otherwise prevent him from repudiating a transaction.  To
some degree, this is the direction taken in the U.S. laws governing
commercial wire transfers.  If there are any countries contemplating the
enactment of laws that would absolutely bind a person whenever his private
key has been used, I would be most interested in hearing about them.

   - Richard Field



At 11:35 AM 11/12/96 -0500, you wrote:
>+----------------------------------------------------+
>Addressed to: set-discuss@commerce.net
>+----------------------------------------------------+
>
>Not to be argumentative but non-repudiation can be established
>technically.  The formal definition requires that through technical
>and procedural proofs a party cannot repudiate a transaction.  The
>law may not recognize those techniques and procedures for contractual
>purposes today but the ABA is working on it....

------------------------------------------------------------------------
This message was sent by set-discuss@commerce.net.  For a complete listing
of available commands, please send mail to 'majordomo@commerce.net'
with 'help' (no quotations) contained within the body of your message.

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com)
e$, 44 Farquhar Street, Boston, MA 02131 USA
"The cost of anything is the foregone alternative" -- Walter Johnson
The e$ Home Page: http://www.vmeng.com/rah/