Inside Domino Certificate Authority in R6

Even though Domino and Notes can be configured for high security, the concentration of power in the certifier ID file has been a problem. If you have the top-level certifier, you can do a lot of damage. You can create new users and sub-certifiers (organization units). More ominously, you can create users and org units that have the same names as existing valid ID files. You can create a Notes ID that appears to be the company president, and this ID will be valid, since it is signed with the real corporate certifier. While it is possible to detect this fraud (by checking public keys) it is still not a pretty scenario.

How hard is it for unauthorized people to get the certifier ID? Not really too hard. Since the certifier is just a small file, anyone who has brief access to the certifier can make his or her own copy on a diskette or USB memory stick. Many organizations regretfully assume that every member of the Domino administration team has a copy of the certifier at home. Even if all of those people are trustworthy, the extra copies of the certifier make it more likely to fall into the hands of someone who is not trustworthy. Of course, anyone who has the certifier still has to know its password, but often this is not too hard to guess.

There is a new feature in R6 that goes a long way to mitigating this problem. The Server-Based Certificate Authority (CA) is a software service that provides a level of indirection for access to certifier ID files. In effect, the certifier becomes the property of a Domino administration process, rather than the property of a set of people. At least one person must still maintain master control over the certifier, but other members of the administration team can use the

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Domino How to turn off the message recall feature in Lotus Notes 8 What is Notes 8.5's DAOS (Domino Attachment and Object Storage) feature? SaaS and collaboration set the stage at Lotusphere Top 10 Lotus Notes/Domino administration tips of 2008 How to upgrade to Lotus Notes 8 and retain Lotus Notes 7 Five Domino domain default server settings you should change and why How DirLint verifies data in Lotus Notes Domino 8 directories An introduction to Lotus Notes password options and essentials Tivoli Directory Integrator synchronizes Notes Domino 8 directories Setting up RSS feeds in Lotus Notes Domino 8 Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 Lotus Notes Domino Access, Permissions and Authentication Display Lotus Notes user group membership details in a tree view How DirLint verifies data in Lotus Notes Domino 8 directories Fix and update Lotus Notes documents with limited access Lotus Notes access error: 'database is not opened yet' Formula language button manages Deny Access list searches Update the ACL from the Roles view with LotusScript Secure Lotus Notes 8 with the Internet password lockout feature Find a Lotus Notes user within NAB Deny Access groups Move a Lotus Domino server to a new certifier without a reinstall Troubleshoot Lotus Notes Out of Office (OOO) agent error messages

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

certifier, without having direct access to it or knowing its password. The person with master control is called the Certificate Authority Administrator (CAA). Other people who need to use the certifier are granted the Registration Authority (RA) role.

The CA also has other valuable traits in addition to the benefit of increased security by indirect access. It automatically maintains an Issued Certificate List (ICL), which helps track IDs generated from the certifier. And the process works for Internet X.509 certificates issued by Domino. In this case, the CA can also maintain an industry-standard Certificate Revocation List (CRL) so that Internet sites can query the CA about the validity of a particular Internet certificate.

When is the CA feature not particularly useful? In my judgment, a small organization that is only issuing Notes IDs has little need for this service. If the Notes administration team only has two people, and you are fairly sure there are no extra copies of the certifier floating around, the service gives little value. One of those people must still know the password for the certifier, as the CAA. So the whole feature reduces the security exposure only for the other administrator.

For full information see Domino Administrator 6 Help / Contents / Security / Domino Server-Based Certification Authority.

Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.

Do you have comments on this tip? Let us know.

Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.