Re: Lotus Notes Encryption

[Philip Storry <phil () philipstorry net>]

Hello ullmic6,

I'll happily help you with your problem. I'm a PCLP in Lotus Domino
System Administration, and have spent a lot of time on the security
side of the system.

Wednesday, January 8, 2003, 7:38:57 PM, you wrote:

uwd> Hello everybody,

uwd> in my company we are using Lotus Notes/Domino R5 as mail tool. Even if 
uwd> the encryption is proprietary and just 64 bits I like this feature very 
uwd> much because it keeps the casual inside attacker from sniffing my mails.

Side note: The mail encryption isn't proprietary. At least, not in the
sense of "nobody trusts it" - Lotus have licensed the BSAFE librarsies
from RSA. These libraries are fairly well respected in the
cryptographic community, and for a long time represented the only
commercial way to use public/private key cryptography commercially
without infringing on patents.

uwd> But now something interesting happened. Encrypted mails that I sent just
uwd> disappeared. The explanation I got was: I have a subset of the domino
uwd> directory (which is on the server and which includes the public key of 
uwd> the recipients) on my pc (called dircat).

Directory Catalogues were new to R5. I love 'em. Nice and small. Did
you know you can choose what does into them? You could add the public
key field to the list, if you like (The field name is "Certificate",
oddly enough.). The thing is, doing so rather increases the size of
the Directory Catalogue. In fact, unless you're filling in all the
fields in the Domino Directory, the Public Key fields will be the
largest fields of the Directory.

uwd> This local dir does not include the public keys due to size and
uwd> performance for mobile users. In this scenario my Lotus Notes
uwd> client does NOT download the public key from the server directory
uwd> and encrypt the message. Instead it just sets a flag that this
uwd> mail must be encrypted, sends it unenecrypted to the server and
uwd> tells the server to do the encryption. My encrypted mails
uwd> disappeared because these recipients public keys were missing on
uwd> the server.

I've seen that happen so many times it's untrue. The Domino Directory
losing the public key details, that is. It's usually because a Person
document has been accidentally deleted. Someone recreates it, but
forgets to add in the public key details.

Go to the person that has the public key missing, and look at their ID
file (File - Tools - User ID). In the More Options section, you can
choose to copy the publick key. That copies it to the clipboard.
You'll probably be at their desk when doing this - unless you have a
copy of their ID file handy, in which case you could Examine their ID
file in the Administrator client (Go to the Configuration tab, open
the tools menu at the right-hand side and choose ID Properties under
the Certification section).
If you're at their desk, paste the public key into an email which you
can send to yourself. Then perform the next step.
If you're using the Admin client, then just go to the People & Groups
tab and locate their Person document. Open it, go to the Certificates
tab and then, under the Notes Certificates tab remove whatever they
have and paste in what you now have for them. The formatting won't
look quite the same - that's normal, and can be ignored.
Note that you can't paste into that field unless you're an
Administrator - which is why you'll probably have to email the public
key back to yourself if you're at their desk. :-)

uwd>  My problem here is that I want end-to-end encryption.

Quite understandable. :-)

uwd> I do not want to delegate the encryption to a server (even if I
uwd> hope that port encryption is enabled like defined in our
uwd> policies).

If you really don't want to trust the delegated encryption, even after
tidying up your Domino Directory and making sure it has people's
certificates, then you can add the field to your Domino Directory
Catalog. Just open the catalog, go to the Configuration view, open the
configuration (for editing, of course) and add the field "Certificate"
to the end of the list of fields that you want added to the Domino
Directory.

I've not tested this, beyond ensuring that the certificates appear in
the Directory Catalog - but once they're there then the clients using
the Directory Catalog should be able to encrypt mail for all
recipients. The only reasonf for this not to work would be any
truncation of the field that may take place when the Catalog is built.
A small caveat - this would only work for recipients that have a
certificate in the Domino Directory - remember that because the
Catalog is built from the Domino Directory, it sounds like you're
going to have to do some maintenance there anyway.

uwd> Does anybody on this list know if the encryption process really
uwd> works like described above. The infos on Lotus encryption on the
uwd> web and in IBMs redbooks is to unspecific to explain what's
uwd> really going on here.

To find out how encryption (of all kinds) works, browser through the
Security section of the Domino Administration Help (help5_admin.nsf).
That has pretty good overviews of it all.

IBM/Lotus documentation suffers severely from verbosity. All the
information you need is in there - somewhere. I recommend taking a
copy of the three main help files - Domino Administration Help, Domino
Designer Help and Notes Client Help and full-text indexing them. Then
make sure your first port of call is to learn about the indexing
system, and how to search in Lotus Notes. That'll help you immensely.
:-)

Red Books, if available on a particular subject, are excellent
because:
  a) IBM have dug the information out for you
  b) They include best practices and other things not in the
  documentation - only as suggestions, but often good ones.

It's a shame that Domino doesn't have a few more Redbooks to help
those new to administering it - but Domino is such a large product
that I admit I wouldn't know where to start!

-- 
Best regards,
 Philip                            mailto:phil () philipstorry net