ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

An Introduction to ISO 13888

Updated on July 8, 2020
tamarawilhite profile image

Tamara Wilhite is a technical writer, an industrial engineer, a mother of two, and a published sci-fi and horror author.

How do you know that a message comes from the person whose name is upon the message, without having been altered or corrupted in the process? The answer for the ISO was to create ISO standard 13888.

ISO 13888 creates a non-repudiation scheme for verifying where messages originated and were unaltered from creation to reception. ISO standard 13888 covers the processes for verifying the sender of a message and tracking messages as they are routed from sender to recipient.

If you say "I didn't send that email", how could you prove origin of the message? ISO 13888 defines the method of verifying and documenting the origin point and routing of emails.
If you say "I didn't send that email", how could you prove origin of the message? ISO 13888 defines the method of verifying and documenting the origin point and routing of emails. | Source

What is Non-Repudiation?

Non-repudiation is when someone or something is challenged on the validity of a claim. With regard to information technology, non-repudiation refers to services that verify the source of data or messages, so that messages are not spoofed or come from someone other than the name signed to the message.

Non-repudiation also checks the integrity of the message, such that no one has added additional information or malicious software hidden in an attachment that was not on the original message. This email verification process reduces the risk of someone receiving an email purporting to come from a legitimate organization but is in fact a phishing email or has had the contents altered.

Non-Repudiation Services

Non-repudiation services that are ISO 13888 compliant must provide proof of who created the content in a message. ISO 13888 compliant non-repudiation services verify the identity of the sender has the ability to identify the origin of all messages, generates records that messages that were sent were received by a delivery authority and that messages were sent to the recipient.

Services that comply with ISO 13888 create records that the messages were received by the recipient and can generate records that the recipient received and opened the message. The non-repudiation service must retain logs of all these transactions that can be audited if necessary.

Non-repudiation services offers readers some protection from spoofing of emails as well a legally sound way of proving email notifications were sent but not received.

Sections of the ISO 13888 Standard

ISO standard 13338 covers digital certificates created with both symmetric and asymmetric encryption. ISO 13338 is broken into three separate parts, with each part relevant to different types of digital certificates used to confirm a sender’s identity.

ISO 13888-1 gives the general model used for handling digital certificates. ISO 13888-1 allows for two different types of evidence to verify the identity of a sender and the integrity of the message. Secure envelopes are created by symmetric cryptographic generators. Digital signatures are created by asymmetric generators. Users themselves can create digital signatures through tools like Lotus Notes.

ISO 13888-2 outlines the methods used to resolve disputes between symmetric certificates. These symmetric certificates may be generated using stream ciphers or block ciphers.

ISO 13888-3 outlines the methods used to resolve disputes between asymmetric certificates. Asymmetric encryption relies on different keys for encrypting messages. A public key is used to encrypt the message, but a private key is used to decrypt it. Asymmetric encryption systems do not need trusted third party verification of a message’s origin.

ISO 13888 Terminology

Non-repudiation of origin or NRO means that someone cannot deny sending an email that they sent. When there is NRO, someone cannot send an email promising to buy an item at a specified price and then say it was generated by a hacker. The non-repudiation of origin proves the person generated the message because it has his or her digital signature, has a time stamp, was recorded on the company’s network as coming from that person and sent to the recipient.

Non-repudiation of delivery or NRD prevents someone from saying, “I never got that message.” ISO 13888 compliant mail services will record the receipt of a message by the mail server and routing it to the intended recipient. An ISO 13888 compliant system will log when the message bounces, such as when the email account to which the message was sent no longer exists. It will also document when the person received it and generally capture if and when the message was read.

A trusted third party or TTP will verify the certificates used during encryption. An example of this is certificate authorities or certification authorities, called CA for short. While a person may not trust an email from, the certificate authority used to create the digital certificate and public key from the person verifies that the message is probably legitimate.

Related Standards

ISO 10181-4 deals with non-repudiation of digital certificates on open systems. This standard is for non-repudiation policies within a greater information security policy. Financial and medical records are held to a higher standard than other types of information.

ISO 15782-1 describes the standards for certificate management for financial services like banks. ISO 17090-3 outlines the public key infrastructure and certification authority to be used in sending health information.


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)