• Messages sorted by: [ date ][ thread ][ subject ][ author ] [ Next ]
• [ Previous ] In reply to: shapj@us.ibm.com

shapj wrote:
> > While the
> > specific encodings are different, the Lotus
> > Domino server uses an
> > essentially similar mechanism for naming Notes
> > objects in web-based
> > presentation -- even the format of the URL is
> > highly similar.

If their URLs don't use a Swiss number, then the best you can say for the similarity of Domino URLs and Droplet(TM) URLs is that they are both URLs.

> I've put in a query to someone at Lotus to double
> check my understanding,
> and if the following is incorrect I will send out
> a followup.

I look forward to getting the answer either way. Please let us know in both cases.

> My understanding is that Notes assigns
> cryptographically protected object
> identifiers.

If these object identifiers are 'cryptographically protected', then they are no longer simple object identifiers. I believe you confuse the discussion by referring to them as object identifiers.

If an object identifier is unguessable and only communicated over secured channels, then it is a capability.

> In Notes, holding such an ID is a necessary but
> insufficient condition for
> using the view. The user must in addition have
> authenticated to the notes
> server. That is, Notes implements a hybrid
> protection model through this
> interface incorporating both capabilities and ACLs.

If you can only ever use a capability if you comply with the ACL authentication, then you are using a crippled capability. The capability becomes no better than an object identifier. I am not sure that it should be considered correct to refer to this design as a capability based design.

The only way I can see this as a true capability based design is if it is possible to have very wide group ACL authentication and for users within the group to share data by passing around capabilities that satisfy this wide ACL constraint.

> > Session identifiers are also more guessable than
> > Swiss numbers, so this ACL system might be insecure.
>
> I'm not aware of any inherent reason why session
> identifiers should be more
> guessable than Swiss numbers.

Without additional information, I was assuming that your were referring to the HTTP session identifier generated by the web server. I do not know much about the software that generates these session identifiers, but based on visual inspection, they definitely seem to have an interior structure that is not intended for unguessability. It is possible that this could be exploited to compromise Domino security.

Tyler

[ Next ]
• [ Previous ] In reply to: shapj@us.ibm.com