"Non-repudiation is the term used for the service that ensures, to the extent technically possible, that entities remain honest about their actions. As a particular example, if Bob sends a digitally signed receipt to Alice, claiming that he received a specific message from her, he cannot later deny having received the message without in effect admitting one of the following:
- He knowingly gave his signing private key to a third party to allow the possibility of repudiating the message receipt.
- His signing private key was compromised without his knowledge (and, he was therefore somewhat negligent in protecting it properly)."[1]
It is important to realise that Non-repudiation isn't just about asymmetric cryptography. Non-repudiation is about
- Hardware Security
- Personnel Security
- CA Security
- Usability
- Visible Security
- PKI Security
- Application Design
- Law and Contracts
- Risks and Risk Management
- Social Engineering
- ...
Only client side signatures can not achieve non-repudiation. The PKI has a large role of an enabler, providing the various services in addition to client side signatures for the signatures to make some sense and have some value. Secure Time Stamping, CRLs , Certificate Histories etc. being only the tip of the iceberg. There is also the responsibility of the decision makers to realise the powers and limitations of the technologies involved and make an informed decision as well as come up with an holistic policy with regards to digital signatures in web forms.
It is equally important to realise that non-repudiation is essentially a human/end user phenomenon resolved by human courts and other dispute resolution mechanisms. "It is not necessary to prove a statement/transaction beyond a shred of doubt as many would assume. The courts don't operate that way - and neither does real life.What the courts do is to encourage the presentation of all evidence. (That's what hearings are, the presentation of evidence.). Then, the law is applied - and this means that each piece of evidence is measured and filtered and rated. It is mulled over, tested, probed, and brought into relationship with all the other pieces of evidence. There is strong evidence and weak evidence. There is stuff that is hard to ignore, and stuff that doesn't add to much. But, even the stuff that adds up to little is not discriminated against, at least not in the early phases.
A digital signature, prima facie, is just another piece of evidence. In the initial presentation of evidence, it is neither weak nor strong. It is certainly not "non-repudiable". What it is, is another input to be processed. The digital signature is as good as all the others, first off. Later on, it might become stronger or weaker, depending, while we might want to improve the strength of that evidence, economics dictate otherwise. Any piece of evidence will be scrutinised by the courts, and assessed for its strength. So, for signatures to be effective, the assumptions and tests that can be applied in a particular case must be clearly laid out in an accessible format. This is a job of system architects , cryptographers and web application developers."[2]
[1] Understand PKI : ... By Carlise Adams et. al. [2] www.financialcryptography.com Repudiating Non-repudiation