> While the
> specific encodings are different, the Lotus
> Domino server uses an
> essentially similar mechanism for naming Notes
> objects in web-based
> presentation -- even the format of the URL is
> highly similar.
I've put in a query to someone at Lotus to double check my understanding,
and if the following is incorrect I will send out a followup.
My understanding is that Notes assigns cryptographically protected object
identifiers. I do not know if this is accomplished by sparse allocation or
by conventional allocation followed by signing of some form. I submit that
These id's can name records or views on those records. The first may be thought of as the full object interface and the second as a particular thinning of the interface.
However, as I said in previous posting, I'm not aware of any session-specific capabilities.
> Session identifiers are also more guessable than
> Swiss numbers, so this ACL system might be insecure.
I'm not aware of any inherent reason why session identifiers should be more guessable than Swiss numbers. Indeed, session identifiers can be implemented using Swiss numbers. This is essentially what is done in IPv6 for example. Given their security history, I would be surprised if Lotus has bothered to use Swiss numbers for session identifiers, but that, at least, is a flaw in the implementation rather than in the basic design.
Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595