30.2. Embedding and Simplifying Public Key SecurityThe Lotus Domino PKI is not a free-standing product: it is integral to the Lotus Notes end-user and administrative experience. Every new user of the Notes desktop client is given, by his administrator, a public/private key pair in a keyfile called his ID file.[1] The user types in his password to decrypt and make use of the ID file. The Lotus Notes client uses a private key to authenticate to the Domino server, providing two-factor authentication (the
password the user knows, and the private key the user has stored in his keyfile).[2] By and large, the user is unaware of this use of public key cryptography. He knows only that he needs access to a copy of his ID file to use Notes.
30.2.1. Signing and Decrypting EmailThe same private key used in authentication can be used to sign and decrypt mail. A single email is explicitly signed or encrypted via a checkbox in the set of optionally manipulated delivery options of a mail message. Those features can also be enabled by default for all mail messages in user preference information. Checking signatures on email from people in your organization is quite seamless. Notes has a native, proprietary format for signing and encrypting, because the feature was originally developed before S/MIME and X.509 certificate standards had the widespread use they have today. Notes supports those standards now as well, but the usability and integration of the earlier formats is superior, because it exploits other native features of Notes/Domino, such as the organization and syntax of enterprise names and usernames in the directory. Notes Certificate Authorities are arranged in a naming hierarchy that parallels the enterprise organization naming hierarchy. Each user receives in his ID file a public key certificate for his private key and the certificate of every authority in his hierarchy. Any signature from another user who shares a common hierarchical authority with the recipient is automatically checked when the message is read. The name of the signer, the time of the signature, and the name of the shared authority is displayed in a message bar at the bottom of the window. For example, the Notes name of Mary Ellen Zurko/Westford/IBM will have certificates for that name, /Westford/IBM, and /IBM in its ID file. That username can automatically validate signatures from anyone under the /IBM authority. Hierarchical names constrain the format of names, but simplify the explicitly available trust relationships. Within an enterprise, users never have to be asked confusing questions about trust and authorities. Hierarchical names also provide excellent security properties, limiting the amount of damage a misbehaving or compromised Certificate Authority can do.[3]
30.2.2. Encrypting EmailEncrypting mail messages is more challenging, even within the circumscribed limits of an enterprise, because it requires access to information not always available locally on the client (trustworthy public key information for the recipient). When the user is on the network, and sending email to a colleague with a record in the directory configured as his directory server, encryption is as easy as signing. The directory server automatically finds the recipient's name and public key information. However, an enterprise may have many Domino directories; all need to be configured to be available to the sender's directory server. Sending encrypted mail offline has another set of issues that are addressed in the product, but can require preconfiguration or other extra interactions with the user. While excellent integration within an enterprise or organization hides many confusing key management concepts, using encryption or signature checking across those boundaries exposes them, leading to many of the known difficulties with PKI. Users receiving signed email from beyond their enterprise hierarchy are asked if they trust the root authority of the sender, with a display of that authority's fingerprint (a sequence of letters and numbers encapsulating the public key). In theory, the user is supposed to verify the fingerprint's association with a trustworthy entity associated with the presumed organization of that authority. In practice, users are more likely to be confused or simply click OK to start trusting that certificate. Encrypting for a recipient in another organization is even more complex, involving acquiring the certificate from the potential recipient and placing it into a personal directory. Lotus Notes provides features that allow the user to do that so that he does not have to rely on administrative intervention. However, explicit use of such features takes some sophistication on the part of the user. From the point of view of promoting both the active use and the understanding of security concepts, signing and encrypting are perhaps too embedded in Notes, as their integration has made them invisible in the most common use cases. Many Internet browser users feel a sense of security when they see the padlock icon indicating that the Secure Sockets Layer (SSL) is in use. The same users are unaware that an electronic pay stub delivered by Notes is encrypted and signed. Although users might get an enhanced feeling of trust if they see a similar icon on signed or encrypted mail messages, display of this information needs to be traded off with the many other informative messages and icons displayed in Notes email (including message priority, whether an attachment is included, and whether the message is a calendar invitation). How to balance ease of use and simplicity with user awareness and trust is an ongoing design issue. One of the major places where the public key infrastructure still intrudes is the need for the ID file to be present for Notes authentication, decryption, and signing. This has posed a challenge for kiosk use, where a desktop with the Notes client might be used by many employees of a single enterprise. It is an even bigger issue for browser-based access to Domino applications, including mail. The emphasis on local information that makes signing, signature checking, and decrypting both easy and extremely secure in the rich Notes client makes the same operations a challenge, and potentially less secure, in a browser-based environment. Lotus Domino can operate in a browser environment using special server-side processes for signing and encrypting email. To use these processes, however, the user must be willing to place his ID files on the server, allow the files to be decrypted, and allow the processes to access the user's private keys. The Lotus Notes PKI has provided excellent security and usability for six versions and 15 years. The benefits have been most noticeable in an enterprise setting that can take advantage of both the proprietary features and the organization's structure. This has enabled many simplifications not available to fully flexible, free-standing PKIs. |