Notes and capabilities

shapj@us.ibm.com shapj@us.ibm.com
Tue, 9 Nov 1999 13:12:07 -0500


I caught up with Alex Morrow of Lotus yesterday, so I want to close the
loop on that discussion.

It proves that the numbers encoded in Domino URLS are indeed capabilities.
Domino allocates universally unique identifiers to all objects using a
swiss number scheme or some comparably strong randomization strategy.  I
can't speak to the strength of the randomness, but it is intended that
these ID's be sufficiently random to be unguessable.  The resulting IDs are
then directly encoded in the URLs.

Thus, I think it is accurate to characterize the URLs as global
capabilities in the same sense that Droplets has global capabilities.

Domino *also* uses ACLs. I propose that we defer debate about this until my
forthcoming sacred cow note has been hashed through, and then reopen the
issue.

One point of possible interest: in a small way the Domino ACL's are
role-based.  Jonathan Shapiro authenticated over SSL potentially has a
different password, is a member of different groups, and may have distinct
authorities in general from Jonathan Shapiro authenticated using X.509 ids
(the usual Notes mechanism).  The idea is that if the user presents the
X.509 id you know that they are coming from a relatively small pool of
machines, while the SSL-encrypted password can be alleged from anywhere.

The X.509 id file is itself password protected. I grant that the id file
can be stolen, but doing so requires targeting a specific machine and
subsequent crypto attacks.  SSL can be hacked from anywhere.  Given that a
small pool of machines competently administered is harder to hack than a
random endpoint on the net, it is reasonable and useful from the standpoint
of probabilistic risk assessment to distinguish these types of
authentication.

Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 7595