Non-repudiation

II. What PKI Does - The Killer Apps

F. Non-Repudiation

Non-Repudiation blocks the sender's false denial that the sender sent a particular message. Whereas authentication of identity may be sufficient for applications where the sender needs only to convince the recipient of her identity, the legal requirements of many e-commerce applications require non-repudiation sufficiently robust for the recipient to prove to a third party such as a judge or jury that the sender's denial was false. Conventional crypto with a single shared secret PIN may be sufficient for two-party authentication, but PKI technology is needed for three-party nonrepudiation on open systems such as the Internet.

May 24, 1999 - Powerpoint slides (Needs Microsoft Internet Explorer Browser) of Charles Merrill of McCarter & English LLP, "Security Issues in Online Trading," in New York City May 24, 1999, sponsored by Institute of International Research. Presentation analyzes illustration of online day trader attempting to repudiate improvident trade under (i) weakness of existing security paradigm using SSL and single key PIN, and (ii) future PKI designed to provide strong non-repudiation for online transactions.

April 28, 1999 - "Teen bids away $3.2 million of parents' money - S. Jersey boy finds eBay account password." The Newark NJ Star-Ledger reported (relaying a report in the Ontario National Post) that a 13-year old boy used his parents' auction account (presumably with a single-key PIN or passphrase) with eBay to successfully bid on a $1.2 million medical center in Jacksonville, Fla, a Van Gogh sketch, a 1971 Corvette convertible, and a $400,000 bedroom suite that once belonged to Sir John A. Macdonald, Canada's first prime minister. When the problem was discovered, the account was suspended, and the bids subsequently canceled.

The article didn't state whether the sellers of these items were able to close sales at or near the bidding level of the bidders. If not, the repudiated bid caused the innocent sellers some serious damage. The really interesting additional question is whether the parents were telling the truth when they claimed that the bid made with their password was unauthorized. If authentication of eBay bidders were by PKI instead of a PIN, what would be the result of a suit by the damaged sellers against the parents? What additional facts would you want to know?