[2838] in Kerberos
Re: Kerberos non-repudiation idea
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Tue Oct 5 23:03:56 1993
Date: Tue, 5 Oct 93 22:51:39 EDT
From: tytso@MIT.EDU (Theodore Ts'o)
To: "Donald T. Davis" <don@GZA.COM>
Cc: bilbo@suite.com, kerberos@MIT.EDU
In-Reply-To: Donald T. Davis's message of Tue, 5 Oct 93 19:31:10 EDT,
The real question with the whole idea of private-key non-repudiation
algorithms is whether they are actually good enough for the applications
where you might want non-repudiation. Note that with strict
non-repudiation, there must be no way that you can claim that you didn't
sign some particular document. The more "excuses" you can place, the
weaker the non-repudiation becomes. So for digital signatures using
public-key, some scheme where your physical key is stored inside a
tamperproof card which will only sign documents after some biometrics
tests is going to be stronger than some public key scheme where your
private key is stored on an NFS file server and you can always claim
that someone stole your private key.
To lesser degree, a non-repudiation system which is dependent on the
security of the KDC is weaker than an analogous public-key system,
because there is an additional "excuse" that the repudiator can use ---
that the KDC was careless and somehow compromised the necessary private
keys. If the application of these non-repudiation services are in
support of binding, commercial contracts, the question is whether
someone would be willing to use a private-key non-repudiation system
when they could use a public-key non-repudiation system? And how much
in royalties would they be willing to pay to RSA before it would make
sense to use a public-key system instead of a private-key system?
(Especially since the RSA patent will expire in a few years.)
It is my belief that it is cost-benefit tradeoff questions like this
which is why there have been no production systems, to my knowledge,
which have attempted to provide non-repudiation facilities use
private-key systems.
- Ted
