I've read your explanations about security on the IDs, but I still have an unanswered question about the cert ID. I can change the password and even the public key via the Admin client using ID properties, but how can I prevent someone from using a copy of a cert ID with a different password? You don't have any Person document with which you can make the link and check the options "Check password...."
I was thinking about the "Check public key," but in this case I need to generate another public key for the certifier ID with other possible problems, and I must implement the solution for the whole company.
Do you have any magic solution?
The first, and obvious, answer is that all organizations should protect their certifier IDs very carefully. Having said that, this is difficult to do in practice. It is nearly impossible to prevent a trusted system administrator from taking home a copy of the cert ID on a diskette. However, Domino has two features which, taken together, give you pretty good protection.
- The "check public keys" option on the server prevents someone from creating a bogus account for a real user. If someone uses a stolen cert id to make a new ID with the same name as an existing user, that new ID will have a different public key than the real user. So the bogus ID file will not work.
- The server option to "only allow users listed in the NAB" prevents someone from creating new (unauthorized) user ID files offline. If such as ID is created, it will be signed with the real organization certifier, but it won't be listed in the NAB, so it will not have server access.
Do you have comments on this Ask the Expert Q&A? Let us know.
Dig Deeper on Lotus Notes Domino Security
Related Q&A from Chuck Connell
Is it possible to encrypt a user's name before sending an email? SearchDomino.com expert Chuck Connell weighs in. Continue Reading
Learn how to change authentication timeout interval for Domino Web Access logins. Continue Reading
SearchDomino.com expert Chuck Connell provides a resource for a Lotus Notes administrator who wants to filter out email containing the word "spam," ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.