Security Basics mailing list archives

Re: RE: Proving non-repudiation in e-Commerce App

From: bitshield () gmail com
Date: 2 Jun 2006 11:19:39 -0000

Hi Craig

thanks for your indepth explanation. You are right, the term prove is too strong. I want to be able to say the 
customer: "Yes your system implements non-repudiation on a best-practice basis. Whenever there are problems then you 
have good chances to take legal action".
What does this actually mean? I want to illuminate each component (as you told) the application. For doing that I have 
to know how one implements a proper non-repudiation. For example:

How does the application log have to look like? I guess the log will be an important part, where you can trace and 
backup the transactions. How does a log entry look like, to prove that it couldn't be altered by the sysadmin or by a 
hacker?

Every action triggered by the client should somehow be signed using the clients private-key and then stroed in a DB or 
a log file. I think such a solution would implement non-repudiation. What do you guys think? Are there other or better 
practices? I'm looking for applied practices.

Thanks
Joe

Current thread:

Proving non-repudiation in e-Commerce App Joe (Jun 01)
- <Possible follow-ups>
- RE: Proving non-repudiation in e-Commerce App Craig Wright (Jun 01)
  - Re: Proving non-repudiation in e-Commerce App Saqib Ali (Jun 02)
- Re: RE: Proving non-repudiation in e-Commerce App bitshield (Jun 02)
- RE: RE: Proving non-repudiation in e-Commerce App Craig Wright (Jun 05)
- RE: Proving non-repudiation in e-Commerce App Craig Wright (Jun 05)