Re: Lotus Domino as an access control to internal network

[Aleph One <aleph1 () dfw net>]

On Thu, 26 Feb 1998, chuck wrote:

> RE Authentication in notes:
> The Swedish(?) parliament was quite surprised to find that
> Notes' encryption uses a key escrow that the US Gov't has
> access to it.  Strangely, the country's legislative
> body was not excited to have the US be able to decrypt
> their information.  Use of Notes was severely curtailed.
>
> Never heard the outcome of that, but it was making a splash
> in December....

This is very old news. They switched to this scheme back in 1996.
Notes used 64-bit session keys. The export version encrypts 24-bits of the
key using a special government RSA key. This means that the government
still needs to brute force the 40-bit key. Note a few things:

a) this only affects the export version

b) the approved export key size before this scheme was implemented was
   40-bits. So in effect, even with the 24-bits in escrow, you are as
   secure or more than if you used their earlier version of the software.

> > * The Notes server requires authentication.
> Passwords.  Reusable passwords.  No provision for OTP use.

The password only unlocks your RSA key. The session key is used to
exchange a randomly generated session key. There is no need for one time
passwords.

> > * When granted access to the server, clients will *only* have access
> > at database level (subject to ACL's; review the defaults!), and not
> > at file level.
>
> Review them and hope they work - you're betting your business secrets on it.

Isn't this true of any software (including firewalls)? You may wish to
actually point out deficiencies in Notes instead of trying to deride
it using cynical statements.

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01