Allow Notes addins (API programs) to be certified 
Use this IdeaSpace to post ideas about Domino Server.

: 8
: 11
: 3
: Domino Server / Other
: Notes, addin, api, certification
: Robert Ibsen Voith4057 25 Jan 2008
: / Email
Today any Notes addins (API programs) may trigger a separate password dialog box, if the user hasn't selected the "Don't prompt for a password from other Notes-based programs (reduces security)" - which is kind of ON or OFF regarding securty for addons. 
What if we could "certify" applications somehow within the Domino Directory? For example could we create a certificate based upon the MD5 signature of the EXE- or DLL file, and certify that. Different rules could apply, where you remotely could control what kind of access such an certified application should have on the users workstation, including whether it is required to enter a password or not. 

1) Richard Schwartz4594 (27 Jan 2008)
In general, code-signing is only secure when the signature verification is done by the component that actually loads the code file into memory. The JVM or the LotusScript interpreter in the Notes/Domino environment, both of which IBM controls and trusts, do this. But EXEs and DLLs are loaded by the OS.

Malware routinely hides or falsifies the identify of the .EXE or .DLL file that is running, so I see no reliable way for the Notes core code to validate an MD5 on the code file. I believe that trusting the OS to validate code signatures and vouch for them to authenticate with Notes/Domino would be an open invitation to major security holes.
2) Robert Ibsen Voith4057 (27 Jan 2008)
I see what you mean, but somehow I feel that we must come a step further than we are today. We have a bunch of anti-tampering/signing tools on the web to validate whether a file has been tampered with or not, so I don't quite see why this would impose any security hole, particullar larger than what we have with ordinary document/mail signing today?!?


Welcome to IdeaJam

You can run IdeaJam™ in your company. It's easy to install, setup and customize. Your employees, partners and customers will immediately see results.

Use IdeaJam to:

  • Collect ideas from employees
  • Solicit feedback and suggestions from employees and customers
  • Run innovation contests and competitions
  • Validate concepts
  • Use the power of "crowd-sourcing" to rank ideas and allow the best ideas to rise to the top

IdeaJam™ works with:

  • IBM Connections
  • IBM Lotus Quickr
  • Blogs and Wikis
  • Websphere Portal
  • Microsoft Sharepoint
  • and other applications.

IdeaJam has an extensive set of widgets and API's that allow you to extend and integrate IdeaJam™ with other applications.

Learn more about IdeaJam >>

IdeaJam developed by

Elguji Software Logo