scope:

The goal of the non-repudiation service is to generate, collect, maintain, make available and validate evidence concerning a claimed event or action in order to resolve disputes about the occurrence or non-occurrence of the event or action. This International Standard provides descriptions of generic structures that can be used for non-repudiation services, and of some specific communication-related mechanisms which can be used to provide non-repudiation of origin (NRO) and non-repudiation of delivery (NRD). Other non-repudiation services can be built using the generic structures described in clause 8 in order to meet the requirements defined by the security policy. This standard relies on the existence of a trusted third party (TTP) to prevent fraudulent repudiation or accusation. Usually, an online trusted third party is needed. Non-repudiation mechanisms provide technical components for the exchange of non-repudiation tokens specific to each non-repudiation service. Non-repudiation tokens specified herein consist of Secure Envelopes and additional data. Non-repudiation tokens shall be stored as non-repudiation information that may be used subsequently in case of disputes. Depending on the non-repudiation policy in effect for a specific application, and the legal environment within which the application operates, additional information may be required to complete the non-repudiation information, e.g., - evidence involving a trusted time stamp provided by a Time Stamping Authority, - evidence provided by a notary which provides assurance about the action or event performed by one or more entities. Non-repudiation can only be provided within the context of a clearly defined security policy for a particular application and its legal environment. Non-repudiation policies are described in ISO/IEC 10181-4, Security frameworks for open systems - Part 4: Non-repudiation framework.