[19925] in cryptography@c2.net mail archive
Re: Nonrepudiation - in some sense
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Feb 10 15:14:20 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 10 Feb 2006 19:49:59 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: leichter_jerrold@emc.com
Cc: cryptography@metzdowd.com
In-Reply-To: <Pine.SOL.4.61.0602100920050.5902@mental>
leichter_jerrold@emc.com wrote:
>>From a description of the Imperva "SecureSphere" technology. Imperva makes
> firewalls that can "look inside" SSL sessions:
>
> SSL Security that Maintains Non-Repudiation
>
> SecureSphere can inspect the contents of both HTTP and HTTPS
> (SSL) traffic. SecureSphere delivers higher HTTPS performance
> than competing reverse proxy point solutions because
> SecureSphere decrypts SSL encrypted traffic but does not
> terminate it. Therefore SecureSphere simply passes the encrypted
> packets unchanged to the application or database server. This
> eliminates the overhead of re-packaging (i.e. changing) the
> communications, re-negotiating a new SSL connection to the
> server, and re-encrypting the information. Moreover, it
> maintains the non-repudiation of transactions since the
> encrypted communication is between client and application with
> no proxy acting as middleman.
Firstly, even if you believe that _any_ crypto provides non-repudiation
(see http://www.apache-ssl.org/tech-legal.pdf for a paper I co-authored
on this and other stuff - executive summary: I don't believe it), you
can't "maintain" the non-repudation of SSL because it doesn't provide
non-repudation.
Secondly, obviously, you can only decrypt SSL if you have the private
key, so presumably this is referring only to incoming SSL connections.
Cheers,
Ben.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
