The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools



Repudiability is also known as deniability. As far as I can determine, the idea came out of nowhere. It wasn't really an issue anyone worried about and then it was a feature. We know that PGP doesn't have this feature because it was used as the example in the Off the Record proposal. So it seems appropriate to use PGP as a practical example.

If you send a signed and encrypted PGP message to someone then these two entities can gain knowledge of your signed message:

  1. The person you sent it to.
  2. Someone who manages to compromise the encryption.

Repudiability is intended to prevent those entities from causing you problems due to that knowledge by breaking or weakening the connection between the message and your cryptographic identity. Your cryptographic identity is normally based on some data that it is expected that only you have access to. In the case of PGP that data is your private key which is required to generate the signature. For this to potentially matter, your signed message would have to be linked to your cryptographic identity.

In a PGP context that would involve at least one of:

  1. Direct access to your private key.
  2. Someone who “knows” you through possession of your public key and an exchange of messages.
  3. Some sort of more complicated argument involving the PGP web of trust.

The first instance is the most definite. It also implies that both you and your correspondent have been compromised. The others provide no definite cryptographic proof of identity.

In the event that someone can come up with a tie between you and your cryptographic identity then this is what they will face when attempting to link it to your physical identity:

  1. Very few people understand cryptographic signatures well enough to even believe that such a thing is possible.
  2. There is no cultural context for the application of cryptographic signatures.

For something like a court case if it is email then the normal email evidence process would be followed with an extra decryption step. There would be no incentive to add an extra complicated step that might be challenged.

In a personal communications situation the people involved will know each other. If the reporter is part of the group then it would come down to how the others felt about you and them. If it was an outsider then the report would be treated as an unsubstantiated rumour. A technical proof would be ignored as redundant.

Note that a PGP user has complete control over how much their cryptographic identity is linked to their physical identity. A good example of this is seen with PGP use on the darknets. Customers create a separate PGP identity for use on the darknets. They often accept the default to sign messages as presented by their tool because it doesn't matter. The PGP identity (public key) is never distributed so the signature has no value. This is an advantage of the simple and straightforward way PGP deals with identities.


Forgeability is a part of repudiability. The idea is to make things so that even if someone does link your signed message to your cryptographic identity you can then falsely claim that the message is a forgery. Some amount of information is leaked to make this possible, either to just your correspondent(s) or to anyone that has access to your signed unencrypted message. To be clear, this is even intended to cover the case where your correspondent reveals your signed messages to others.

The fundamental problem with the concept of forgeability is:

The mere possibility of forging a message does not in any way prove that a message was forged.

In practice you would have to falsely accuse someone of the forgery. That someone would very possibly have to be a friend. It would be a serious accusation with serious consequences. In a social context the penalty could be exclusion from the group. In a legal context the penalty could be actual jail time. If your accusation was not successful the penalty would fall back on you.

It is much better and safer to just claim that the problematic statement is not what it seems. You might of been joking. You might of been misunderstood.

A system that supports forgeability will have the ability to falsely claim a forgery as a known feature. So in practice you might actually be worse off with such a system should you decide to do that.

In a PGP context you could claim someone had gained access to your private key. That argument might actually have some force in a case where someone's private key was compromised to defeat the encryption.

Most media is relatively easy to forge. But yet false claims of such forgery are quite rare which suggests that such claims don't tend to work out. False claims of fabricated evidence rarely go anywhere in court for example. Claiming that someone created a forgery using an obscure technical process does not seem any more likely to succeed.

Repudiability is one of those things that seems like a good idea in theory. In practice it has very little value. It is unlikely that the feature is worth the extra complexity it would take to implement it.

PGP FAN index

pgpfan/repudiability.txt · Last modified: 2020/06/11 01:10 by b.walzer