ID vault security
The Notes® ID vault provides several layers of security.
- Protection against the use of an unauthorized vault
- A user ID can be uploaded to a vault only if the parent certifier of the user ID issued a Vault Trust Certificate to the vault. This requirement prevents a rogue administrator from creating an unauthorized vault and uploading ID files into it.
- Protection against unauthorized downloads of IDs
- IDs that are downloaded from a vault are password-protected. If incorrect passwords are entered consecutively for 10 times in one day during an attempt to download an ID file from a vault to a client, then downloads for that ID are disabled for the rest of the day. To download the ID on that day, you must reset the password for it. For additional protection, administrators can require authorization for all ID downloads.
- Protection against unauthorized password resets
- To reset the password on a user ID, a user must have a Password Reset Certificate issued by the parent certifier of the user ID through the Domino® administrator. A custom password reset application is an application that enables users to reset their own passwords. A custom password reset application requires a Password Reset Certificate to be issued to the identity under which the application runs and to each server on which the application is deployed.
- Protection against unauthorized access to the vault contents
- User ID files are stored as attachments in ID vault documents. The ID vault documents are encrypted and thus are unusable if they are detached from the vault. The vault database also is encrypted using the ID file of the server on which the database is located. It is important to protect the server ID file from unauthorized access.
- Protection against unauthorized access to data transmitted over the network
- All ID vault transactions between clients and servers are encrypted to protect the data during transmission.