: 4581 | 108544 | 12346

Get rid of .ID files 
New idea submissions, commenting and voting are no longer available on this site. Logins have also been disabled.
Use this IdeaSpace to post ideas about Domino Administrator.

: -19
: 19
: 38
: Domino Administrator / Security
: profile, ID, Files
: David Vasta2328 30 Oct 2007
: / Email

The cumbersome management of the ID files should be removed from Lotus Notes/Domino. IBM for years has promised to find a better way to manage these or remove the and use some type of global RADIUS server for authentication. User’s loss the ID files and they get out of sync with the certifier and cause many many hours of lost administration time every place I have been and worked with Lotus Notes.

1) Tim Brown962 (30 Oct 2007)
This functionality is coming in Notes 9
2) Mika Heinonen3551 (30 Oct 2007)
Notes ID's should work like Web ID's, all you need is a Person Document.
3) Henry Ferlauto3847 (30 Oct 2007)
Would be nice to see Lotus support RSA (Secure ID) tokens in the Notes client. They do with DWA.
4) David Vasta2328 (02 Nov 2007)
You guys are mean. How can anyone thing the current .ID file is a great way to manage Domino and Users. You have to be kidding me. It was smart 10 years ago when security was all over the place but today with all the options we have the ID file is cumbersome and pointless and should be removed. It is coming in 9, I know becasue Ed Brill promised it to me...well no to me but said it was coming. Looking forward to it.
5) Thomas Bahn3674 (03 Nov 2007)
The ID file is one of the most important security feature of the Notes client!

I think, the Notes/Domino platform is superior in security to many, many other systems BECAUSE of the two factor authentication. This way, it's much more difficult to steal someone's identity. This is, why in high-security areas you not only use one factor (PIN, key or whatever), but at least two.

In Notes it's not enough to get the user name (publicly available in most systems) and the password (through watching, searching for "notes", social engineering), but you have to get access to the ID file, too, which should be protected by file system rights.

Second, the personal private key is stored in the ID file - as are secret encryption keys. If you "get rid" of the ID file or it is stored in a central place like the Domino directory, everybody, who gets access to the password has also access to these keys.

Therefore my vote can only be "Demote"!
6) Richie Schmid16 (04 Nov 2007)
I agree with thomas. it's an important part of the private/public key infrastructure
7) David Camara916 (07 Nov 2007)
I think choice is always the best option, it would be nice to choose the type of authentication (Notes ID, Username, RSA ...) on a user basis, on registration for example or on the person document.

I have seen several companies where users have various copies of their ID files, with different passwords (some with the company default password), on different machines (sometimes on the network) and that can't be good for security so ID files are not all that great.
8) Chris Whisonant2445 (09 Nov 2007)
Let's see what's around the bend...
9) Grant Lindsay686 (11 Nov 2007)
ID files are more secure (and so, not pointless.) However, they are very cumbersome. That should be improved.
10) David Vasta2328 (21 Nov 2007)
Granted but you have to admit using something like LDAP and other things would be better than the old and hard to manage .ID file. Come one Vote it up.....please.
11) Scott Gentzen256 (21 Nov 2007)
The problem is that the ID file is really just an important part of Domino's PKI. The problem comes in when you're in an organization that has Domino but isn't Domino-centric.

Some places have their own PKI/certificate system in place to manage access to other resources. If you have a smartcard-based certificate to get into you workstation and other websites, what about Domino? You can associate your smartcard with your notes ID file, but you still have that Notes ID file with a Notes cert on it.

I wouldn't want "get rid of .id files" to get interpreted as getting rid of Domino'd PKI system, but I would like to see it more open to other systems managing certificates
12) David Vasta2328 (25 Nov 2007)
Scott with all due respect...."The problem comes in when you're in an organization that has Domino but isn't Domino-centric."

I am a Team Lead for Lotus Administration with a company with over 27,000 users, 5000 + Domino Apps and over 300 Domino Server. What do you consider "Domino-Centric"? Everything runs on Domino. There is some data on the System i but it's only data.

Sadly in 2009 ID files as we know it are going away. So I would guess that this Idea is moot, but I wanted to let IBM know we all get it. They are old and hard to manage. A true security risk. If I have your ID file I know have 1/2 of the puzzle. Don't think they are a risk, then what happens when a person leaves the company with a copy of the NSF and the ID? Then what? While I am very pro-security I think the ID is a huge hole in security. I know the answer to my own question you don't have to answer it, but I think your comments on the matter are too high level for most Admins, and you should consider the least common Admin not ones like me with the ability and budget to do things right.
13) David Vasta2328 (14 Dec 2007)
Wow the voting on this has been nuts. I would like to confirm that Lotus the other day said in 2009 ID files will be going away as we know it. Now more lost ID files. Not more mixed up IDs that have been re-certed and such. They are going to keep the same security and do it without the use of the actual ID file. It will still be there but not like it is today. It's messy today and in 2009 it's going to get all cleaned up. Thanks Lotus!
14) Jan Elvegård57 (16 Jan 2008)
It would be useful to have the option to run your Notes/Domino environment with or without ID files. In smaller sized companies without own Domino staff it is often a problem manage ID:s and they look at Outlook/Exchange instead. In a security perspective it would be the same level as running a Web-client.


Welcome to IdeaJam™

You can run IdeaJam™ in your company. It's easy to install, setup and customize. Your employees, partners and customers will immediately see results.

Use IdeaJam to:

  • Collect ideas from employees
  • Solicit feedback and suggestions from employees and customers
  • Run innovation contests and competitions
  • Validate concepts
  • Use the power of "crowd-sourcing" to rank ideas and allow the best ideas to rise to the top

IdeaJam™ works with:

  • IBM Connections
  • IBM Lotus Quickr
  • Blogs and Wikis
  • Websphere Portal
  • Microsoft Sharepoint
  • and other applications.

IdeaJam has an extensive set of widgets and API's that allow you to extend and integrate IdeaJam™ with other applications.

Learn more about IdeaJam >>

IdeaJam developed by

Elguji Software Logo