Even though Domino and Notes can be configured for high security, the concentration of power in the certifier ID file has been a problem. If you have the top-level certifier, you can do a lot of damage. You can create new users and sub-certifiers (organization units). More ominously, you can create users and org units that have the same names as existing valid ID files. You can create a Notes ID that appears to be the company president, and this ID will be valid, since it is signed with the real corporate certifier. While it is possible to detect this fraud (by checking public keys) it is still not a pretty scenario.
How hard is it for unauthorized people to get the certifier ID? Not really too hard. Since the certifier is just a small file, anyone who has brief access to the certifier can make his or her own copy on a diskette or USB memory stick. Many organizations regretfully assume that every member of the Domino administration team has a copy of the certifier at home. Even if all of those people are trustworthy, the extra copies of the certifier make it more likely to fall into the hands of someone who is not trustworthy. Of course, anyone who has the certifier still has to know its password, but often this is not too hard to guess.
There is a new feature in R6 that goes a long way to mitigating this problem. The Server-Based Certificate Authority (CA) is a software service that provides a level of indirection for access to certifier ID files. In effect, the certifier becomes the property of a Domino administration process, rather than the property of a set of people. At least one person must still maintain master control over the certifier, but other members of the administration team can use the certifier, without having direct access to it or knowing its password. The person with master control is called the Certificate Authority Administrator (CAA). Other people who need to use the certifier are granted the Registration Authority (RA) role.
The CA also has other valuable traits in addition to the benefit of increased security by indirect access. It automatically maintains an Issued Certificate List (ICL), which helps track IDs generated from the certifier. And the process works for Internet X.509 certificates issued by Domino. In this case, the CA can also maintain an industry-standard Certificate Revocation List (CRL) so that Internet sites can query the CA about the validity of a particular Internet certificate.
When is the CA feature not particularly useful? In my judgment, a small organization that is only issuing Notes IDs has little need for this service. If the Notes administration team only has two people, and you are fairly sure there are no extra copies of the certifier floating around, the service gives little value. One of those people must still know the password for the certifier, as the CAA. So the whole feature reduces the security exposure only for the other administrator.
For full information see Domino Administrator 6 Help / Contents / Security / Domino Server-Based Certification Authority.
Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.
Do you have comments on this tip? Let us know.
Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.
This was first published in November 2004