From Application Security and Development Security Technical Implementation Guide
Part of SRG-APP-000080
Associated with: CCI-000166
Without non-repudiation, it is impossible to positively attribute an action to an individual (or process acting on behalf of an individual).
Review the application documentation, the design requirements if available and interview the application administrator. Identify application services or application commands that are formerly required and designed to provide non-repudiation services (e.g., digital signatures). If the application documentation specifically states that non-repudiation services for application users are not defined as part of the application design, this requirement is not applicable. Email is one example of an application specifically required to provide non-repudiation services for application users within the DoD. Interview the application administrators and have them describe which aspect of the application, if any, is required to provide digital signatures. Access the application as a test user or observe the application administrator as they demonstrate the applications signature capabilities. If the application is required to provide non-repudiation services and does not, or if the non-repudiation functionality fails on demonstration, this is a finding.
Configure the application to provide users with a non-repudiation function in the form of digital signatures when it is required by the organization or by the application design and architecture.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer