RE: Signing before Encryption and Signing after Encryption

["David Gillett" <gillettdavid () fhda edu>]

  You're right, there's the entire additional dimension of tying
the private key to the entity it is supposed to represent.  That's
not part of the encryption, but it's a necessary part of the
legality.  I find it far too easy to get caught up in the
technical aspects....

David Gillett
 

> -----Original Message-----
> From: Craig Wright [mailto:cwright () bdosyd com au] 
> Sent: Wednesday, March 22, 2006 1:53 PM
> To: gillettdavid () fhda edu; shyaam () gmail com; 
> security-basics () securityfocus com
> Subject: RE: Signing before Encryption and Signing after Encryption
>
>
> Hi David,
> Non-repudiation has different requirements in different legal 
> jurisdictions.
>
> There needs to be a manner to verify the keys (i.e. PKI). I 
> can get a verisign certificate calling myself Bill Gates. 
> This does not mean for the purpose of legal contractual 
> negotiations that I am Bill Gates. I could sign an email as 
> such though.
>
> For non-repudiation to work, there needs to be an attestation 
> by the operator of the certificate authority.
>
>
> The following are some guidelines for non-repudiation, based 
> on locality of course:
> Australia     National Electronic Authentication Council,
>
>               Liability and other Legal Issues in the Use of 
> PKI Digital Certificates (May 2002).
>
> EC,           Directive 1999/93/EC of the European Parliament and of
> the Council
> Austria,      Signature Law, 2000
>
> England, Scotland and Wales
>
>               Electronic Communications Act, 2000
>
> Germany       Signature Law, 2001
>
> Sweden        Qualified Electronic Signatures Act (SFS 
> 2000:832) (in swedish).
>
>
> India         Information Technology Act, 2000
>
> New Zealand   Electronic Transactions Act, 2003 sections 22-24
>
> USA           Electronic Signatures in Global and National Commerce
> Act (E-SIGN),
>
>               at 15 U.S.C. 7001 et seq
> Switzerland   Federal Law on Certification Services Concerning the
> Electronic Signature, 2003
>
>
> To take a quote from the English Ministry associated with 
> Digital Signature law:
> "A private key authenticated by a digital certificate 
> generated within a PKI can be considered as the electronic 
> equivalent of a passport. Both establish identities for 
> persons who have met the requisite identity checks. The 
> community accepts the validity of the holder's identity 
> because it trusts the issuer. The identity can be used to 
> authenticate the holder in subsequent transactions without 
> directly involving the issuer."
>
> Web of trust models such as PGP can result in a signature, 
> but the issue of non-repudiation is not fulfilled in that the 
> issuer can not be held to account separately (as it is a self 
> signed certificate).
>
> In situations where the parties have had prior dealings, it 
> may be possible to verify the owner of the public key, for 
> example, at a personal meeting, parties may exchange public 
> keys on floppy disks (eg key signing parties). However, if 
> the parties are unknown to each other, and perhaps in 
> different jurisdictions, the requisite level of confidence is 
> not present. The solution to this lies in the public key 
> infrastructure and is governed by different levels of trust.
>
>
> Regards
> Craig
>
> -----Original Message-----
> From: David Gillett [mailto:gillettdavid () fhda edu]
>
> Sent: 23 March 2006 8:24
> To: Craig Wright; shyaam () gmail com; security-basics () securityfocus com
> Subject: RE: Signing before Encryption and Signing after Encryption
>
>   Does non-repudiation require anything more than assurance 
> that the private key (a) MUST have been used, and (b) HASN'T 
> been compromised?
> Are you just alluding to the measures which support those 
> assertions, or to some additional requirement(s) that escapes me?
>
>   [If your private key isn't really private, all bets are off.]
>
> David Gillett
>
>
> > -----Original Message-----
> > From: Craig Wright [mailto:cwright () bdosyd com au]
> > Sent: Wednesday, March 22, 2006 12:56 PM
> > To: gillettdavid () fhda edu; shyaam () gmail com;
>
> > security-basics () securityfocus com
> > Subject: RE: Signing before Encryption and Signing after Encryption
>
> >
>
> > True, but the argument was not one as to which is the better method.
> > There are several secure hashing algorithms.
>
> >
>
> > Further there is more to verification to source than just asymmetric
>
> > keys. Non-repudiation is a complex field in itself and requires a
>
> > entire range of associated infrastructure.
>
> > Regards
> > Craig
>
>
> Liability limited by a scheme approved under Professional 
> Standards Legislation in respect of matters arising within 
> those States and Territories of Australia where such 
> legislation exists.
>
> DISCLAIMER
> The information contained in this email and any attachments 
> is confidential. If you are not the intended recipient, you 
> must not use or disclose the information. If you have 
> received this email in error, please inform us promptly by 
> reply email or by telephoning +61 2 9286 5555. Please delete 
> the email and destroy any printed copy. 
>
>
> Any views expressed in this message are those of the 
> individual sender. You may not rely on this message as advice 
> unless it has been electronically signed by a Partner of BDO 
> or it is subsequently confirmed by letter or fax signed by a 
> Partner of BDO.
>
> BDO accepts no liability for any damage caused by this email 
> or its attachments due to viruses, interference, 
> interception, corruption or unauthorised access.


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------