SECURING YOUR DATA

How trust is established for a Notes or Internet certificate
IBM® Lotus® Notes® and Internet certificates are used as identification. You may have to decide whether certificates that Lotus Notes encounters are legitimate -- whether you trust the certificates. A convenient way to declare trust in a certificate is to declare trust for a certificate authority (CA), so that you trust all certificates issued by that CA. When you first receive your User ID, the only CA that you implicitly trust is the CA that issued your Lotus Notes certificates. Any other CA's certificate or certificates that are issued by an untrusted CA are not trusted until you tell Lotus Notes to trust the CA's certificate or the individual certificates issued by that CA.

If you want to see which certificates you trust or change your trust decision for particular certificates, choose File > Security > User Security (Macintosh OS X users: Notes > Security > User Security), click Identity of Others, and click People, Services or Authorities. For more information about People and Services, which shows you which certificates you trust for specific people and services, see Certificates for people or services. For more information on Authorities, which shows you which CA certificates you trust, see Certificate authorities and the certificates they issue.

In addition to manipulating trust in User Security, you may be prompted to make immediate trust decisions. The following are examples of when you may be prompted to create a cross certificate that declares trust in a Lotus Notes or Internet certificate. Creating a cross certificate is equivalent to marking a certificate as trusted in User Security.

Notes cross certificate
If you try to access a Lotus Notes server in a IBM® Lotus® Domino™ domain that you are not part of, Lotus Notes may encounter Lotus Notes certificates that you do not trust. When this happens, you are asked if you want to create a cross certificate for either the server's certificate or for the CA that issued the server's certificate. If you do not create a cross certificate, the server connection fails due to your lack of trust in the server's certificates. Creating a cross certificate for the server's certificate establishes trust for the certificate in question and recognizes that the certificate is legitimate identification. Creating a cross certificate for the CA that created the server's certificate establishes trust for any certificate issued by that CA.

Internet cross certificate
If you receive Internet-style Lotus Notes mail (S/MIME) from someone who signed the mail message with a digital signature, you receive the certificate of the sender and the certificate of the CA that issued the sender's certificate. If Lotus Notes doesn't trust the certificates, you are asked if you want to create a cross certificate for either the sender's certificate or for the CA that issued the sender's certificate. If you do not create the cross certificate, you are still able to read the mail message, but you are prompted to create a cross certificate any time you open the message because the certificates are untrusted. Creating a cross certificate for the sender's certificate establishes trust for the certificate in question and recognizes that the certificate is legitimate identification. Creating a cross certificate for the CA that created the sender's certificate establishes trust for any certificate issued by that CA. However, creating a cross certificate for the CA is not the default option and it should be done cautiously since the certificate is from outside your Lotus Notes domain.

See Also