RE: data origin authentication

[Christina Helbig <cbh@zyfer.com>]

Hi, Stefan
I haven't claim that ESP offers non-repudiation. ESP offers data origin
authentication without non-repudiation. This was only a remark about a
possible misunderstanding of the term "data origin authentication" in the
sense that there is only one possible origin. 
Greetings
Christina

> -----Original Message-----
> From: Goeman Stefan [mailto:Stefan.Goeman@siemens.atea.be]
> Sent: Wednesday, May 08, 2002 1:12 AM
> To: 'ipsec@lists.tislabs.com'
> Subject: RE: data origin authentication
> 
> 
> Hello All,
> 
> > -----Original Message-----
> > From: Christina Helbig [mailto:cbh@zyfer.com]
> > Sent: dinsdag 7 mei 2002 21:02
> > To: 'Joern Sierwald'; ipsec@lists.tislabs.com
> > Subject: RE: data origin authentication
> > 
> > 
> > Hello, Joern
> > if you are a bad guy and you own a in-bound SA you can 
> > produced a faked ESP
> > packet that looks like its come from the other party of your 
> > in-bound SA.
> > Then you can claim that you got this packet from the other 
> > party. So the
> > data origin authentication of ESP (two parties know the same 
> > authentication
> > key) don't deliver non-repudiation of data origin.  But a 
> > receiver can be
> > sure that the sender of an incoming ESP packet is only the 
> > other party of
> > the related in-bound SA or the receiver itself. 
> 
> Non-repudiation. 
> Hmm.
> Checking the rfc's, it is nowhere claimed that ESP and/or AH
> offers non-repudiation as a security service.
> 
> (But perhaps non-repudiation is a must and then solutions have
> to be developed.)
> 
> 
> Greetings,
> 
> Stefan.
>