Thoughts on non-repudiation
What exactly is "non-repudiation?" This question has been asked many times but rarely answered, at least in a reasonable way. Part of the problem seems to be caused by the fact that "repudiation" means something particular to lawyers, and that meaning isn’t the same as the one that technologists think of, and most of the debates over the meaning of "non-repudiation" can probably be reduced to the misunderstanding that using that particular term caused. If a term like "origin authentication and data integrity" (OADI) had been used instead, we’d probably have reached an agreement as to what the term actually means long ago, but it wasn’t, so we’re stuck with a more confusing term instead.
OADI can be ensured in more than one way. A digital signature can be the basis for ensuring OADI, but doing this gives you a scheme that’s only as good as the controls around the private key that’s used to create the signature. If a digital certificate is used in an OADI scheme, then you have even more controls to worry about: those used by the CA that creates the certificate. So without the right controls in place, a digital signature isn’t very useful for ensuring OADI.
A MAC can also be used as the basis for ensuring OADI, and it’s also only as good as the controls around the key that’s used to create or verify the MAC. If you have controls in place that ensure that the sender of a message can only use a key to create a MAC and that the recipient of a message can only use a key verify a MAC, then a MAC is useful as a means of OADI. There are systems today that do this, although they’re not as common as the ones used to create and verify digital signatures.
So it seems that the difference between using a digital signature for OADI and using a MAC for OADI aren’t as great as you might first think. In either case, the usefulness of the OADI scheme is limited by the controls in place that limit how cryptographic keys are used. In one case you’re trusting the controls that the sender of a message has in place, and probably the controls that a CA has in place as well. In the other case, you’re trusting that the controls in place at both the sender and recipient. The biggest difference between the two cases seems to be the practical difficulties that limit the usefulness of MACs, but if you want to ensure OADI, either type of scheme can be used.