15th Annual Computer Security Applications Conference
December 6-10, 1999
Phoenix, Arizona

Non-repudiation Evidence Generation for CORBA using XML

Michael Wichert, wichert@gmd.de
GMD - German National Research Center for Information Technology
SIT-Institute for Secure Telecooperation
64295 Darmstadt

David Ingham, dave.ingham@ncl.ac.uk
Steve Caughey, s.j.caughey@ncl.ac.uk
Department of Computing Science
Newcastle University
Newcastle upon Tyne
United Kingdom

Electronic business transactions commonly cross organisational boundaries where there is only a limited degree of trust. In order to compensate for this lack of trust, digital signatures and encryption can be used to provide support for non-repudiation. This is achieved by generating unforgeable evidence of transactions that can be use for dispute resolution after the fact. This paper focuses on the provision of a non-repudiation service for CORBA, the industry standard middleware for distributed applications. The current OMG specification of a CORBA non-repudiation service forces the programmer to augment the application with calls to functions for generating or validating evidence. Furthermore, the application itself has to manage the exchange of this evidence between parties and its storage. The paper describes our design for a generic CORBA non-repudiation service implementation. Our approach provides a separation between the application business logic and the generation of evidence allowing non-repudiation support to be incorporated into applications with the minimum of programmer effort. The paper begins with an overview of the CORBA non-repudiation security service specification, illustrating its importance for electronic commerce. Our design is then described using the example of ordering goods over the Internet. The non-repudiation service provides the parties with evidence proving that the transaction has taken place. This proof is a XML document based on the proposed IETF Internet standard Digital Signatures for XML.

Keywords: Security, CORBA, XML, non-repudiation, e-commerce.