Thoughts on droplets v. Notes

Tyler Close tjclose@yahoo.com
Tue, 2 Nov 1999 10:34:31 -0800 (PST) 

shapj wrote:
> > While the
> > specific encodings are different, the Lotus
> > Domino server uses an
> > essentially similar mechanism for naming Notes
> > objects in web-based
> > presentation -- even the format of the URL is
> > highly similar.

If their URLs don't use a Swiss number, then the best you
can say for the similarity of Domino URLs and Droplet(TM)
URLs is that they are both URLs.

> I've put in a query to someone at Lotus to double 
> check my understanding,
> and if the following is incorrect I will send out 
> a followup.

I look forward to getting the answer either way. Please let
us know in both cases.

> My understanding is that Notes assigns 
> cryptographically protected object
> identifiers.

If these object identifiers are 'cryptographically
protected', then they are no longer simple object
identifiers. I believe you confuse the discussion by
referring to them as object identifiers.

If an object identifier is unguessable and only
communicated over secured channels, then it is a
capability.

> In Notes, holding such an ID is a necessary but 
> insufficient condition for
> using the view.  The user must in addition have 
> authenticated to the notes
> server.  That is, Notes implements a hybrid 
> protection model through this
> interface incorporating both capabilities and ACLs.

If you can only ever use a capability if you comply with
the ACL authentication, then you are using a crippled
capability. The capability becomes no better than an object
identifier. I am not sure that it should be considered
correct to refer to this design as a capability based
design.

The only way I can see this as a true capability based
design is if it is possible to have very wide group ACL
authentication and for users within the group to share data
by passing around capabilities that satisfy this wide ACL
constraint.

> > Session identifiers are also more guessable than
> > Swiss numbers, so this ACL system might be insecure.
> 
> I'm not aware of any inherent reason why session 
> identifiers should be more
> guessable than Swiss numbers.

Without additional information, I was assuming that your
were referring to the HTTP session identifier generated by
the web server. I do not know much about the software that
generates these session identifiers, but based on visual
inspection, they definitely seem to have an interior
structure that is not intended for unguessability. It is
possible that this could be exploited to compromise Domino
security.

Tyler

__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com