Notes and capabilities

Kevin_Lacobie@interliant.com Kevin_Lacobie@interliant.com
Tue, 9 Nov 1999 13:02:49 -0600


"It proves that the numbers encoded in Domino URLS are indeed capabilities.
Domino allocates universally unique identifiers to all objects using a
swiss number scheme or some comparably strong randomization strategy.  I
can't speak to the strength of the randomness, but it is intended that
these ID's be sufficiently random to be unguessable.  The resulting IDs are
then directly encoded in the URLs."

I'd say, yes and no.

Every design element and every document gets a unique note id; sure, the id
is created with a very good randomization strategy, so it qualifies as a
good random unique number.

But, is it part of a swiss number/capabilities scheme?  I don't think so
(perhaps, though, you could make it so?)

In the url:

http://site.company.com/database.nsf/34290857aec3348/978f458a?OpenDocument

for example, that first set of random elements is the note id to the "view"
design element.  A view is basically an index into the databases records
(you can have several views).  The second set of random elements is the
note id of the document itself.

Now, if you happen to know the name of the view involved (for example,
"AllDocuments"), and the document's "index value" in that view,(e.g.,
"TopSecret", then you can retrieve the same document with this URL:

    http:
//site.company.com/database.nsf/AllDocuments/TopSecret?OpenDocument

you can retrieve the same document.

Since these ids have never been traditionally treated as capabilities in
the Domino world, security has always been provided there through extensive
use of ACLs.  There's an ACL to protect the server (site.company.com), the
database itself (database.nsf), the view (AllDocuments) and potentially
even the document itself (TopSecret).  Note, when using the Notes client,
the ACL attached to view doesn't really afford you protection; Notes
clients can always create their own views, even with the same index
qualities as the original, thus giving them a handy bypass.  However, the
web browser doesn't have that capacity, so the protection there is better.

Kevin Lacobie