In this article I explain why (in my non-qualified opinion as a non-lawyer) I think most people are wasting their time when they worry about non-repudiation of SOA messages.
The purpose of non-repudiation in business is to try and make sure someone can't welch on a contract. The idea being that when you send a SOA message you are, in effect, entering into a contract and so you want some kind of non-repudiation measure to make sure that the sender of the message can't come back later and say "I never sent that message and I'm not paying for the 10,000 widgets it ordered either!".
When you talk about non-repudiation most geeks will immediately start discussing digital signatures and encryption technology. But near as I can tell (and I'm no lawyer) there is no need to use encryption technology to get non-repudiation and anyway the biggest problem one will have in court is probably not proving who sent the message but proving what it is both parties agreed to when the message was sent.
So unless you intend to have an army of lawyers drive your software development process you are all but sure to be better off not worrying about non-repudiation.
What is a Digital Signature, legally speaking?
In Geek land digital signatures are all about encryption, public and private keys, cryptographically secure hashes, etc. Making all of this work is, of course, non-trivial. It requires a lot of infrastructure to generate and disseminate keys as well as to maintain the keys, ensure proper access, deal with revocations, etc. Therefore using digital signatures is far from free in practice.
But, you see, here is the funny part. geeks, being geeks, just worry about the technology. But notice the point of this exercise – to enforce a 'contract' in court. The use of digital signatures in SOA is therefore not about technology but about the law and the law has some interesting things to say on the matter.
First of all, it is far from clear that one needs a digital signature in order to make a message non-repudiable for legal purposes. Have you had experience lately signing up for an on-line service where you were asked to just type in your name as your 'digital signature'? Or filling out a form that included a notice by the post button saying that by pressing this button you are electronically signing the form and agreeing to its contents? These, of course, aren't digital signatures in the encryption sense but near as I can tell they are digital signatures in the legal sense.
Watch this part carefully because it will make all the Geek's heads hurt. While digital signature are legally enforceable in the U.S. and I believe Europe the legal term 'digital signature' seems to just mean 'some identifying mark sent electronically'. In other words when geeks say 'digital signature' they mean cryptography but that isn't what the law necessarily means when it says 'digital signature'. We have two groups using the same phrase to mean two different things.
I can already hear the geeks screaming "but you can fake that other stuff!". Well, yes, you can, but you can fake physical signatures too. It turns out the legal system has dealt with such problems for a very long time. While this may offend our Geek sensibilities it is how the world appears to work.
BTW, just to confuse things even more some states in the U.S. have different definitions of digital signatures than others. California actually takes a pretty reasonable approach and defines the qualities a digital signature must have rather than the specifics of how it is to be implemented. But keep in mind that these laws are apparently not exclusive. That is, if you can reasonably show to the satisfaction of the court that a message came from a specific source than that message can be considered binding. There have apparently already been several cases involving e-mail in various jurisdictions around the world where courts took e-mails to be legally binding. Besides, near as I can tell, most of the more restrictive digital signature laws have yet to be tested in court so their meaning in practice is still unknown.
Contracts, it depends on what the meaning of the word "is" is
But wait, it gets better. Let's say the message is signed following the strictest legal standards available, the sender welched and now you are ready to nail the jerk in court! But here's the thing, have you ever been involved in a contract negotiation? If you haven't you should try it at least once. Yes, the experience is right up their with root canal but the pain goes away quickly and you will learn some important lessons (such as: don't get involved in contract negotiations). The first thing you will notice about a contract negotiation is that most of the people in the room are lawyers. The next thing you will notice is that the lawyers don't speak English and they like to use red pens. But the point is that the actual process of negotiating a contract is a long and painful one.
The reason for the pain is that badly written contracts create ambiguities that courts are happy to resolve in a process that one lawyer once described to me as being akin to roulette. The result often seems to be more about chance (what judge you get, what jury, if there is one, etc.) than about the quality of your case.
This is why contracts tend to be written down and tend to involve a lot of lawyers ahead of time. It turns out that paying lawyers upfront is significantly cheaper than paying them in court.
All of which brings us back to SOA. For, you see, when you take your digitally signed message to court what you are doing is trying to enforce a contract. Except, um, how many lawyers did you have examine that message before you defined it in your software? How many legal reviews did it actually go through? Did you ever discuss it with the message sender's lawyer's ahead of time? I'm guessing the answer to these questions is generally – 'no'. Which means that no one, in a legal sense, really knows who agreed to what. Trying to enforce your 'contract' in court is quite likely to do little else than provide a lot of money to a lot of lawyers.
The legal burden of proof for a digital signature (in the legal sense) doesn't seem to be, in most cases, anywhere near the burden of proof expected by digital signatures (in the geek sense). And besides, even if the legal burden proof was the same as the geek burden of proof the real pain is likely not proving who sent the message but proving what they meant when they sent it. Unless armies of lawyers are involved in your software development process then non-repudiation is probably not worth much thought.