[3989] in WWW Security List Archive
Re: Lotus Notes Tender System
daemon@ATHENA.MIT.EDU (Mark H Linehan)
Wed Jan 15 19:12:03 1997
From: "Mark H Linehan"<linehan@watson.ibm.com>
To: THunterD@aol.com
cc: Mprice@pwd.nsw.gov.au, Www-Security@ns2.rutgers.edu
Date: Wed, 15 Jan 1997 14:28:38 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
--0__=UkfTXiGHbsZjwk4J6S0gEnQQWSliWV8ZWAINshvhGPwFrhycNAdmB6bn
Content-type: text/plain; charset=us-ascii
From: Mark H Linehan on 01-15-97 02:28 PM
The following is not quite true. Lotus Notes uses public key technology
for authentication and other purposes. Notes stores your private key
(not your password) in an ID file. You can control access to your
private key via a password which is used to encrypt the ID file. Your
site Notes server administrator can require passwords for all users. If
a password is used, then a stolen ID file is useless.
I believe Notes does provide log records that can be used to identify
invalid access attempts.
The statement "In order for a Notes application to be secure it must be
part of a larger solution which has comprehensive security controls and
policies in place and in force" is true of all computer systems, whether
built on Notes or otherwise. Notes provides significant builtin features
and security controls that enables and simplifies such a larger solution.
(Embedded
image moved THunterD @ aol.com
to file: 01/14/97 08:17 PM
PIC16515.PCX)
To: linehan, mprice @ pwd.nsw.gov.au
cc: Www-Security @ ns2.rutgers.edu (bcc: Mark H Linehan/Watson/IBM
Research)
Subject: Re: Lotus Notes Tender System
--0__=UkfTXiGHbsZjwk4J6S0gEnQQWSliWV8ZWAINshvhGPwFrhycNAdmB6bn
Mark H Linehan on 01-13-97 09:37 PM wrote:
Lotus Notes has very extensive security features. There's a
documentation database that comes with Notes that describes these
security features in detail. Examples: it uses public-key algorithms
to authenticate users; mail and database entries can be signed or
encrypted or both; the transport link between Notes clients and servers
can be encrypted, etc. As with any security mechanisms, it takes some
learning and some thought to apply the Notes security features
effectively. But they can be very effective.
While the above is true, security must take into account the ability of
someone to compromise the access controls. Lotus Notes stores your
password in an ID file. The password remains with that ID file and not
on the server.
Therefore, if I can compromise your password and get a copy of your ID
file I can have permanent access to your lotus notes database. To make
matters worse, the user can choose to either have a password or not.
This option is configurable at the client, so it is feasible that users
may not even require a password. Additionally, some of the basic
security administration functions are not available on Notes. Activities
such as reviewing invalid access attempts are not part of Notes. In
order for a Notes application to be secure it must be part of a larger
solution which has comprehensive security controls and policies in place
and in force.
Tom Davis
--0__=UkfTXiGHbsZjwk4J6S0gEnQQWSliWV8ZWAINshvhGPwFrhycNAdmB6bn
Content-type: application/octet-stream;
name="PIC16515.PCX"
Content-transfer-encoding: base64
CgUBCAAAAABoACwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAABaQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAD1E9sTzRPHE8MTwhP1E9sTzRPHE8MTwhP1E9sTzRPHE8MTwhP1E9sTzRPH
E8MTwhP1E9sTzRPHE8MTwhP1E9sTzRPHE8MTwhP1E9sTzRPHE8MTwhP1E9sTzRPHE8MTwhP1E9sT
zRPHE8MTwhPwEwzIBgzYE8wTxhPDE8IT7hPOBtcTzBPGE8MTE+wTwgbCBwbCEgbCEgbCEsUG1hPL
E8YTwxMT6hMMwgYHwgLCAwISwgfEEsMCwwbVE8sTxRPDExPpE8MGAwcCBwMCwhLDB8ISwgISwgLD
BtUTyhPFE8MTE+gTwgIHA8ICEw4DDgLDE8USwwLCEMIG1BPKE8UTwxMT5xMCAwcDAg4TDgITwgIS
D8ISD8ISBRICEcICwwbUE8oTxRPCExPmEwYCBwMCDgIOwgLDExITEhPCEg8GxgLDBtMMDAfJE8QT
whMT5hMGwwITBgMCDhLFEw8SE8ISBgIDwhIDEsMGB9MDxwwHxRPDExPlEwYHAhESAg8CwhMPwhMP
xBMPxRIQwgIDAgMCBtMDxwPEDAfDE8IT4RMHwwzCBgLCEhMCDxLIE8MSD8MSwwIQAwIDBgfSDMkD
wgPCDAfCExPbEwfGDMIDDAIHERITEhMSwxMPwxMPwxPDEgIDAgMCwwMCBgzREwfHDMYDDMITE9YT
B8UMyAMGB8ICBhLDAsYTEhMSExIPwhIHAgcCAwUQAgYRBgfSE8UTB8QMwgMMwhMT0hMHxAzLA8IM
BsISDxESExITAw4DxBMSExITwxICBwPCAsMDDMIGB9ITyRMHwwzCExPPEwfDDMkDxQwHwhMGBxIT
AhECEwMOAg7DExITDxMPwxIDAgMCBwMCDAYRBgfSE8kTwhPCDMITE8wTB8MMxwPEDMIHxxMGxBLD
Ag4DDgIGwg/IEgIDwgIDAgwCEMIGB9ITyRMHDAcMwhMTyhMHwgzGA8MMwgfMEwYHwhLCEAIOAg4C
DhDDAhIPxhIFAgXDAgUCEQYH0hPHEwfCDAcPDMITE8gTB8IMxQPDDAfQEwbDEhDEAhAOEA4QwgLG
EgcSBhIGBcMCBcIGB9ATB8UMEwfCDA8HDwwHwhMTxhMHwgzEA8MMB9MTBgfCEhADEMICDhAOEMIC
EQIDxxIGBwbCAgUCEQYHyxMHxAwHwhMHEwzCEwcPBw8MB8MTE8UTBwzEA8IMB9YTBsQSEAMCA8UC
EQIDAgPDEgcSBgfCBgUQAhDCBgfGEwfEDAfGE8INEwzCEw8HwgwHwxPCE8QTBwzDA8IMB9gTBgfE
EhACEMYCEQIDAsQSBhLDBsICEALCBgfCEwfDDAfKEwfCDRMHwhPCDAfEE8ITE8MTBwzCA8IMB9oT
DBIHwxLDDBEDxQIDAgPDEgYSBgfCBgIQAhAGDAfCEwzDE8MHyRMHwhPCBxMHxRPDExPDEwzCAwwH
3RMGxxICEQPDAgMCA8MSBhIGBwYMBhACEAIGDMMTDBPCB8YTwwfHEwfGE8MTwhPDEwwDDAfeEwYH
xxICEQPDAgMCwhIGEgYHBgwGEAIQAsIGB8MTDMYTwwfKEwzGE8MTwhPDE8IMB98TDBLCB8USAgMR
xAISB8ISBgcGDAYQBhAGEAYMB8MMB8kTwwfHEwzGE8MTwhPDEwwPwgzfEwYSB8ISB8ISAhECAwID
EgcSBwYHBgwGEAYQxgzDD8IHxRPDB8kTBwzGE8MTwhPDEwzDD8QM3BPCBhIGwxIGAhECAwIHBgcG
yAzJDxMHzRMHwwwHxxPDE8ITwxMHDMYPxwwH1BMGEgYSBhLLDM4PwwwTDMcTwgfEDAfJE8QTwhMT
xBMHwgzLD9sM0w/GDAfDEwzDEwfEDAfLE8YTwxMTxhMHxAztD8gMBgfIE8QMB84TxxPDE8ITyhMH
xwzbD8sMEAUMBcIMwgYH1RPKE8UTwxMT0RMH2wwGEAYQBhACBQwFDAUMBgwHBgfWE8sTxRPDExPu
EwYMBhAGEAIGDAYMwwYH1xPLE8YTwxMT8BPKBgfYE8wTxhPDExP1E9sTzRPHE8MTwhP1E9sTzRPH
E8MTwhMMAAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCkgICA/wAAAP8A//8AAAD/
/wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCkgICA/wAAAP8A//8A
AAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCkgICA/wAAAP8A
//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCkgICA/wAA
AP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCkgICA
/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCk
gICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vw
oKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw
//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzA
psrw//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDA
wNzApsrw//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICA
wMDAwNzApsrw//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACA
AICAwMDAwNzApsrw//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACA
gACA//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////
--0__=UkfTXiGHbsZjwk4J6S0gEnQQWSliWV8ZWAINshvhGPwFrhycNAdmB6bn--
