====== 4.3.4.3 Non-Repudiation ====== [[dido:public:ra:1.4_req:2_nonfunc:25_security | Return to Securability ]] ===== About ===== [[dido:public:ra:xapend:xapend.a_glossary:n:nonrepudiation]] (( Non-Repudiation, __Computer Security Resource Center (CSRC)__ Accessed 14 August 2020, [[https://csrc.nist.gov/glossary/term/non_repudiation]] )) means that it is not possible to repudiate (i.e., deny) that an action has been taken. For example, the signed contract witnessed by two people could not be repudiated. In other words, the contract now has Non-Repudiation. Non-Repudiation is about providing [[dido:public:ra:xapend:xapend.a_glossary:a:assurance|assurance]] using [[dido:public:ra:xapend:xapend.a_glossary:e:evidence|evidence]] that an action has been done. For example, a data sender is provided evidence (i.e., proof) of delivery while the receiver is provided evidence (i.e., proof) of the sender's identity. As a consequence, neither the sender or the receiver can deny having processed the data. Non-Repudiation applies to more than just sending data between two parties. It can be applied to any action or activity. For example, by digitally signing an email, the receiver has evidence (i.e., proof) that the email is from the [[dido:public:ra:xapend:xapend.a_glossary:e:entity|entity]] that signed the email. In other words, it is not possible to repudiate that the email came from the entity that digitally signed the email. Another example is the use of identities in [[dido:public:ra:xapend:xapend.a_glossary:c:cm|configuration management]] systems. The change (i.e., transformation) was recorded in a log along with the identity of the individual that made the change. In this way, all changes made to the configuration have Non-Repudiation.(( Evan Wheeler, __Security Risk Management__, 2011, Accessed 14 August 2020, [[https://www.sciencedirect.com/science/article/pii/B9781597496155000074]] )) There is a lot of overlap in Non-Repudiation and [[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrol]]. During access to a controlled resource, the identity of the entity trying to access the resource is verified against an [[dido:public:ra:xapend:xapend.a_glossary:a:acl]]. When access is allowed or denied, an entry is made into a log. Once the entry is made, the access has Non-Repudiation. In other words, once an [[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrolfunction]] is executed, there is generally sufficient evidence to for Non-Repudiation of access to the controlled resource. ===== DIDO Specifics ===== [[dido:public:ra:1.4_req:2_nonfunc:25_security:nonrepudiability| Return to Top]] : To be added/expanded in future revisions of the DIDO RA /**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /* To add a discussion page to this page, comment out the line that says ~~DISCUSSION:off~~ */ ~~DISCUSSION:on|Outstanding Issues~~ ~~DISCUSSION:off~~