The goal of the non-repudiation service is to generate, col-lect, maintain, make available and validate evidence con-cerning a claimed event or action in order to resolve dis-putes about the occurrence or non occurrence of the event or action. This part of ISO/IEC 13888 provides descriptions of generic structures that can be used for non-repudiation services, and of some specific, communication related mechanisms which can be used to provide non-repudiation of origin (NRO), non-repudiation of delivery (NRD), non-repudiation of submission (NRS), and non-repudiation of transport (NRT) services. Other non-repudiation services can be built using the generic structures described in Clause 8 in order to meet the requirements defined by the security policy.
This part of ISO/IEC 13888 relies on the existence of a trusted third party (TTP) to prevent fraudulent repudiation. Usually an on-line trusted third party is needed.
Non-repudiation mechanisms provide protocols for the ex-change of non-repudiation tokens specific to each non-re-pudiation service. Non-repudiation tokens used in this part consist of Secure Envelopes and additional data. Non-repudiation tokens shall be stored as non-repudiation infor-mation that may be used subsequently in case of disputes.
Depending on the non-repudiation policy in effect for a spe-cific application, and the legal environment within which the application operates, additional information may be required to complete the non-repudiation information, e.g.,
- evidence including a trusted time stamp provided by a Time Stamping Authority,
- evidence provided by a notary which provides as-surance about the action or event performed by one or more entities.
Non-repudiation can only be provided within the context of a clearly defined security policy for a particular application and its legal environment. Non-repudiation policies are de-scribed in ISO/IEC 10181-4.
ISO/IEC 13888-2:1998 history
2012ISO/IEC 13888-2:2010/Cor 1:2012 Corrigendum 1 - Information technology -- Security techniques -- Non-repudiation -- Part 2: Mechanisms using symmetric techniques -
2010ISO/IEC 13888-2:2010 Information technology - Security techniques - Non-repudiation - Part 2: Mechanisms using symmetric techniques
1998ISO/IEC 13888-2:1998 Information technology - Security techniques - Non-repudiation - Part 2: Mechanisms using symmetric techniques