Domino Blog

News, views and directions on IBM Lotus Domino

Good to hear. Are there plans to merge X509 and Notes Certificates further? On my little personal wishlist:

a) Load Notes IDs on a Smartcard

b) Have the possibility to use a X509 cert instead of a Notes certificate for client identification

c) Have a feature to push X509 certs into the NotesID that doesn't involve http.

... probably more if I continue thinking of it...

;-) stw

I realize this isn't tied to Smartcard Functionality ... but speaking of x.509 certificates...

Are there any plans to incorporate CRL checking for third Party Certs into Domino? We have had issues (currently not supported) with not being able to use the DoD's CRL (via the CRL itself or via OCSP) to validate whether or not a user has a legit DoD issued ID certificate (not expired/not revoked).

It would also be great if we could automate the acceptance of third party certificates. We currently have to use the certpub.nsf database to collect the third party web ID certificates and then have to manually approve the requests in order to "add" the certificate to their person document in the DD.

Its really pathetic to see that you guys are not serious for updating the blog regularly.

@3 - You can expect us to add new postings twice per week except during busy periods. Our dev team is also busy building the product, so taking time out to write blog articles during key milestones is not always possible. Thanks for the interest and keep tuned in.

@2 - I'd recommend that anybody interested in revocation checking for third party certs take a look at the OCSP functionality in the upcoming beta of the next feature release and send us their feedback.

Well, my apologies...

I did not mean to hurt anyone but just would not wait for the comments from you guys which I have been addicted to these days.

I just could not stand not able to read the updates...

May be I am just too impatient...

Apologies once again..

warm regards,

Pankaj

@1 - The "Larger keys for Notes protocols" functionality takes a step in that direction, as 1024+ bit Notes keys use the same encoding formats (BER) and cryptgraphic mechanisms (PKCS#1) as S/MIME and SSL.

a) has the problem that roaming a user between computers requires far more than just the ID file, and bookmarks and personal NABs won't fit on 64k smartcards. But I can't wait until I can get my hands on a hybrid smartcard/flash drive with enough capacity to play with both "Notes on a stick" and smartcards simultaneously. :)

b) The main problem here is naming. Notes names accurately specify the node's location in the PKI; names in X.509 certs are completely arbitrary and frequently filled with non-name related cruft such as legal disclaimers. However, if X.509 for Notes is interesting because you want to use keys on smartcards for Notes authentication, you can use an ID file with a 1024+ bit Notes key, and then export that private key to the smartcard. This will result in the secure hardware crypto being used for all crypographic operations involving that key, including Notes authentication, signing, and decryption.

c) Third party X.509 certs or Notes/Domino-generated X.509 certs? Have you tested the "Add Internet Cert to selected user" functionality from the view level of a person doc or looked at the PKCS#12 import functionality?

Third Party X.509 certs issued by DoD is what I'm talking about. Everything that has been done thus far has needed human action by an admin or someone from using a Notes Client. Also, from what I understand from the DoD contact at IBM Robert Murphy, the OCSP responder only is available for email certificates not for web ID certs. I could be way off target here but we have been waiting (and working with 3rd Party DoD Certs for 2+ years now) for IBM to take the lead and come up with a wizz bang interface that puts M$ products to shame :) In all seriousness though we have been banging this same drum for the last several years about automating adding Third Party Certs and Certificate Revocation. The last comment we had from last years round table at Lotusphere, was that it was not being requested by anyone else so most likely nothing would be done. I know the move here at the Navy has been to jump on the M$ band-wagon and push for .net solutions that will run on M$ servers such as SharePoint. I don't like the idea that IBM would be willing to put their heads in the sand because users aren't requesting enhancements (ignoring our requests repeatedly). I'm not trying to bash IBM/Notes as thats what we make our bread and butter off of. I'm a big proponent of Domino and would like to see "US" win and not "M$".

Go forth and wizz bang!

@8 - You are correct in pointing out that the official plan for OCSP support in 8.0 only covers X.509 certificates being used for email, and in fact OCSP is only used during S/MIME signature verification in the first beta. I cannot make any promises yet, but if you attend my Lotusphere presentation or ask me about OCSP support in the "Meet the Developers" lab next month, there is a good chance that you will receive a more satisfactory answer then than you would now.

If you have any OCSP responders accessible from outside your firewall, I would definitely appreciate a URI and a few .p12 files or smartcards with sample certs for testing purposes, though. There are few things more embarrassing than sneaking in new functionality with a particular customer in mind and then finding out after the release ships that their configuration is somehow horribly and tragically different from your test bed environment...

Boy I wish we had the funding to go to Lotusphere this year. This will be the first in a long while that one of our developers or admins will NOT be there. Unfortunately thats what its like working for the DoD sometimes... you don't always get the funding for the things that "we" consider important. If you ever get to the Mechanicsburg, PA area we'd be glad to volunteer our badges for testing purposes! I'm not knowledgeable enough to say if we have any OCSP URI's available outside the firewall. I know there was discussion about setting up an OCSP prototype at one point but since it was not supported in Domino we kind of lost touch with where that went.

Hi,

Ifound this page while looking for solution for including CRL of third party into DOMINO.

All users have Smart Card with Internet Certificates and Domino Directory includes all public keys. Can anyone help me with any reference

Thx

@11 This redbook on Domino security has a chapter on Smartcards and some more info on certificates. If there are follow on questions please post again.

{ Link }

Hi,

Thanks alot for your answer. But I can't find any thing about revocation list of a third party certificate authority.

thx again

Cialis

There are some people who say that top branded drugs are way more effective than the generic ones. However, this does not hold much truth when it comes to the generic medicines which are sold here. An online pharmacy which offers generic medicines at affordable prices. If you have been diagnosed with a sickness and your medication requires you to spend a lot for your medicines, you don't have to worry about this anymore. You can buy cialis and get a discount when you keep on buying the same drug. When you cannot tolerate the high price of branded medicines, your only option is an online pharmacy, since it is compassionate with your need for reasonably priced drugs.

If your medication calls for high-priced branded medicines, why not generic cialis? This is an alternative which is provided at your affordable online drug store. One of the advantages that you can get from this store is the fact that its medicines can be bought for very low prices. You can order generic drugs at the website. These medicines are formulated with ingredients which are equal to the ones which make up branded drugs. However, the prices of the two are entirely different. Even though the prices of generic drugs and branded drugs vary widely, the effects are still the same. This is due to the fact that the medicines which are sold at this online pharmacy have been approved by worldwide organizations. The effectiveness and the quality of the generic drugs are regarded as excellent. The legality of these drugs has been supported by international regulatory boards. Some of these authorities are South Africa MCC, USA FDA, and WHO.

When you buy cialis, the shipping service is offered for free. If you are residing within the European continent or at the other pole of the globe, the medicines that you have ordered will still be delivered to you. If you are a resident from the USA or from Europe, the duration of the shipping service can take fourteen days. One of the services that this online drug store provides its customers with is the chance to get a discount. Each time you order the same drug, you will be offered with a five-percent discount. Since the online pharmacy is compassionate with the plight of its sick patients, it does not charge you with hidden fees. Nor does it charge you when you consult with its physicians.

You can buy cialis when you are diagnosed with a sickness. Serious ailments such as cancer or manic depression can be treated with some of the medicines sold at this online pharmacy.

Author

Clive Robert { Link }

Our Online Pharmacy no Prescription doctors will evaluate your health information and provide you with a prescription, so you do not need a prescription from your regular family physician to cheap Generic Viagra. More info at: <a href="{ Link } title="Generic Viagra">{ Link }

yup - too true. Here's more info about <a href="{ Link } Price fir

Generic Viagra Online</a>

online pharmacy, online drugs, foreign online pharmacies, online pharmacy for generics drugs,pharmacy online,buy generic meds,buy generic drugs,online generic cialis,online generic Viagra,generic valtre

I like it all users have Smart Card with Internet Certificates and Domino Directory includes all public keys. Can anyone help me with any reference

--------------------------------------------------

<a href="{ Link } card</a>

When you buy cialis, the shipping service is offered for free. If you are residing within the European continent or at the other pole of the globe, the medicines that you have ordered will still be delivered to you. If you are a resident from the USA or from Europe, the duration of the shipping service can take fourteen days. One of the services that this online drug store provides its customers with is the chance to get a discount. Each time you order the same drug, you will be offered with a five-percent discount. Since the online pharmacy is compassionate with the plight of its sick patients, it does not charge you with hidden fees. Nor does it charge you when you consult with its physicians

------------------------------------------------

<a href="{ Link }

When you buy cialis, the shipping service is offered for free. If you are residing within the European continent or at the other pole of the globe, the medicines that you have ordered will still be delivered to you. If you are a resident from the USA or from Europe, the duration of the shipping service can take fourteen days. One of the services that this online drug store provides its customers with is the chance to get a discount. Each time you order the same drug, you will be offered with a five-percent discount. Since the online pharmacy is compassionate with the plight of its sick patients, it does not charge you with hidden fees. Nor does it charge you when you consult with its physicians

------------------------------------------------

<a href="{ Link }

Nice Post

Informative and Useful One

thanks for the good stuff...

{ Link }