Using a Lotus Notes ID to validate a user to a Domino server

My tip last month described Notes ID files. In that article, I promised to write more about how Notes uses the ID file to validate a user to a Domino server. So here we go…

Notes ID files use a hierarchical trust model. This model is best illustrated by the "trusted friend" analogy. Suppose you attend a party to meet new people and you have a rule that you will not become friends with any total strangers. You want someone to vouch for any new acquaintance. You were brought to the party by Yolanda Yodalaky, whom you have known for years. You will trust anyone she personally points out to you. She introduces you to Emma and Henry, so you now know that they are trustworthy. Emma then takes you over to meet Hao-Lin, and you now trust Hao-Lin. It is important to note that Yolanda, your original friend, did not introduce you to Hao-Lin. Instead, Emma did, but you trust Emma's judgment, since Yolanda vouched for her. This is a hierarchical trust model. There is one person, Yolanda, whom you originally trusted. That trust flows to people Yolanda introduces you to. You will then accept introductions from those new friends also.

Now suppose someone walks up to you and say, "Hi. My name is Mary. I am pleased to meet you. You can trust me because I am good buddies with Yolanda." Should you trust her? No, you should not. You don't know that her name is really Mary, or that she actually knows Yolanda. This stranger may have heard that you trust Yolanda and is trying to trick you with this knowledge. What to do? Lead Mary over to Yolanda and say, "Yolanda, take a look at this person. Is her name Mary? Can I trust her?" If Yolanda says, "yes," you are all set. If Yolanda says "no," you have avoided being tricked by an imposter.

Notes ID files work in exactly this way. Within each ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 Lotus Notes Domino Security How to correct Lotus Notes public key mismatches in four easy steps Cracked users' HTTP passwords still a threat on many Lotus Notes R6 and R7 domains Top 10 Notes/Domino administration tips of 2006 Unsecured devices worry IT professionals Online crime as ugly as ever McAfee sued for patent infringement Mobile security starts with policy Antivirus researcher Gullotto leaves Symantec for Microsoft Symantec: Searching for a strategy? Symantec says enterprises failing to secure instant messaging Lotus Notes Domino Access, Permissions and Authentication Display Lotus Notes user group membership details in a tree view How DirLint verifies data in Lotus Notes Domino 8 directories Fix and update Lotus Notes documents with limited access Lotus Notes access error: 'database is not opened yet' Formula language button manages Deny Access list searches Update the ACL from the Roles view with LotusScript Secure Lotus Notes 8 with the Internet password lockout feature Find a Lotus Notes user within NAB Deny Access groups Move a Lotus Domino server to a new certifier without a reinstall Troubleshoot Lotus Notes Out of Office (OOO) agent error messages

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ID are the names and (digital) signatures of some trusted certificates. Typically, the name of a certificate is /CompanyName. It may also be /Dept/CompanyName, which means a department-level certificate that is vouched for by /CompanyName. When you use Notes to access a Domino server, Notes sends information to the server about the certificates in your Notes ID file. The server determines if one of the certificates that you trust is the same as a certificate that the server trusts. The server does this by performing a mathematical test on each certificate. If the server determines that it trusts a certificate in your ID, you are granted access to the server. The mathematical test is analogous to taking Mary to Yolanda and saying, "Is this Mary?"

There is an important corollary to this model, which may not be immediately obvious. Suppose the certificate in your ID file is named /AcmeCorp, and suppose the certificate that the server trusts is also named /AcmeCorp. This does not automatically mean that the server will trust your ID file. You might be trying to trick the server with a fake /AcmeCorp certificate (just as Mary may have been trying to trick you at the party). The purpose of the mathematical test from the server is to force your ID file to prove that it is the same /AcmeCorp that the server trusts.

This problem can arise in actual practice with Notes, if you accidentally create a second top-level certifier for your organization. I have seen this happen when companies install a second (or subsequent) Domino server. The installation script can be confusing and sometimes leads you to create another certifier, with the same name, when you already have one. Notes ID that you create with the second certifier (and server IDs created with it) will not work with existing servers. It can be hard to figure out what the problem is, because the bad IDs appear, on casual inspection, to have a valid certificate.

For more information see:

Overview of Notes/Domino Security, Iris Today, September 2001.

Links Page on DominoSecurity.org. This is a Web site that I maintain with lots of information about Domino/Notes security.

Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.

Do you have comments on this tip? Let us know.

Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.