Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 51

Nonrepudiation

Оглавление

The fundamental design of the earliest internetworking protocols meant that, in many cases, the sender had no concrete proof that the recipient actually received what was sent. Contrast this with postal systems worldwide, which have long used the concept of registered mail to verify to the sender that the recipient or his agent signed for and received the piece of mail on a given date and time. Legal systems have relied for centuries on formally specified ways to serve process upon someone. Both of these mechanisms protect the sender's or originator's rights and the recipient's rights: Both parties have a vested interest in not being surprised by claims by the other that something wasn't sent, wasn't done, or wasn't received. This is the basis of the concept of nonrepudiation, which is the aspect of a system that prevents a party or user from denying that they took an action, sent a message, or received a message. Nonrepudiation does not say that the recipient understood what you sent or that they agreed with it, only that they received it.

NOTE You can think of nonrepudiation as being similar to submitting your income tax return every year or the many other government-required filings that we all must make no matter where we live or do business. Sometimes, the only way we can keep ourselves from harm is by being able to prove that we sent it in on time and that the government received it on time.

Email systems have been notorious for not providing reliable confirmation of delivery and receipt. Every email system has features built into it that allow senders and server administrators to control whether read receipts or delivery confirmations work reliably or correctly. Email threads can easily be edited to show almost anything in terms of sender and recipient information; attachments to emails can be modified as well. In short, off-the-shelf email systems do not provide anything that a court of law or an employment relations tribunal will accept as proof of what an email user claims it is.

Business cannot function that way. The transition from postal delivery of paper to electronic delivery of transactions brought many of the same requirements for nonrepudiation into your web-enabled e-business systems. What e-business and e-commerce did not do a very good job of was bringing that same need for nonrepudiation to email.

There are a number of commercial products that act as add-ons, extensions, or major enhancements to email systems that provide end-to-end, legally compliant, evidence-grade proof regarding the sending and receiving of email. A number of national postal systems around the world have started to package these systems as their own government-endorsed email version of registered postal mail. Many industry-facing vertical platforms embed these nonrepudiation features into the ways that they handle transaction processing, rendering reams of fax traffic, uncontrollable emails, or even postal mail largely obsolete.

Systems with high degrees of nonrepudiation are in essence systems that are auditable and that are restricted to users who authenticate themselves prior to each use; they also tend to be systems with strong data integrity, privacy, or confidentiality protection built into them. Using these systems improves the organization's bottom line, while enhancing its reputation for trustworthiness and reliability.

The Official (ISC)2 SSCP CBK Reference

Подняться наверх