رویکرد چرخه کاربردی به مدیریت مدارک و شواهد برای حل اختلاف

Dispute resolution, a necessary function in electronic commerce, must rely on evidence that includes mechanisms to ensure non-repudiation of actions by the participants. In open systems comprising computer networks, this “non-repudiation service” is one type of security service defined in the ISO/IEC standards. These, as well as other literature, have defined a system framework for such a service. Evidence management is the central part. We propose a new methodology for evidence management with a model using a transactional cycle in which evidence is collected in compliance with the legal concept of chain-of-evidence. Evidence then exists as a set of relevant pieces instead of an atomic item. A case study involving credit-card-over-SSL transactions was used to demonstrate how the model works. Our aim was to present a new approach and show that evidence accountability can be better ensured.

Disputes are inevitable in business, and their resolution is necessary in electronic commerce just as it is in any other form of business. But disputes cannot be legally resolved unless the evidence underlying them has been previously recorded. A non-repudiation service establishes evidence and is one type of security service for open systems [6]. We reviewed the literature on information security and found that these services have been less discussed than others, such as authentication. Pertinent international standards on non-repudiation include ISO/IEC 10181-4 [7], 13888-1 [8], 13888-2 [9], and 13888-3 [10], which deal mainly with general concepts of evidence and define the system framework and some mechanisms for non-repudiation. The goal of this type of service is to generate, collect, maintain, make available, and validate irrefutable evidence concerning a claimed event or action in order to resolve disputes about the occurrence of the event or action. Due to evidence accountability, evidence management is a critical part of the security framework. Previous research [3], [15], [18], [19] and [20] dealt with evidence management as a unit of evidence involving a particular event or action; but this fails to pick up the complete context. Given that no business activity is atomic, we must consider a series of activities formed onto a complete transaction, rather than an isolated unit. It follows that evidence does not exist as an atomic piece but as a chain-of-evidence. This concept was originally introduced in law-enforcement. However, we integrate the concept with evidence management to trace accountability of each event or action into the overall transaction.

A new evidence-management methodology and its associated establishing procedures were discussed and then applied to a credit-card-over-SSL transaction case. The concept of chain-of-evidence and the transactional-cycle approach were integrated into the evidence-management methodology. Once each piece of stored evidence was generated, a map could be drawn to trace back the accountability of each event or action along the transactional cycle. We presented a systematic treatment of evidence accountability for non-repudiation services; this is a supplement to single pieces of evidence, which are quite limited when attempting to learn the context. Essentially, the non-repudiation service overlaps the functions of security audits and alarms. Both aim to record events or actions that have occurred. Recording the event in the audit trail might require support from non-repudiation services, and vice versa. That is, the audit recorder can be used to store and utilize non-repudiation evidence. Moreover, the analytical works about these are essentially different approaches to achieve the same purpose.