Re: Strong name

From: Michel Gallant (MVP) (neutron@istar.ca)
Date: 02/12/03


Date: Wed, 12 Feb 2003 08:43:29 -0500
From: "Michel Gallant (MVP)" <neutron@istar.ca>


Strong Name uses a hash value of all components, to guarantee none have been
tampered with in any way. So it is basically integrity verification of assembly components.
To learn more, search MSDN for "Strong Name". There are not too many hits, yet :-)

 - Mitch

Crirus wrote:

 But, if there is no verification on trust what is good for such string name? Only for uniqueness?
"Michel Gallant (MVP)" <neutron@istar.ca> wrote in message news:3E4910CD.E282C68F@istar.ca...No. A strong name signature does NOT involve a trust relationship in the same was as
verification of an Authenticode signature does. You could generate keys for signing with
a strong name using sn.exe and use that to generate your strong name. Only the public key
itself is used to verify the signature. No "issuer" trust is involved in strong-name sig.verification.

*Authenticode* signatures on the assembly itself (embedded signature within the PE assembly) addresses
the issue of trust from a certificate/key issuer. This trust verification process uses the native Authenticode
security infrastructure on any windows OS, and operates outside of .net also (e.g. cab installers are usually
required to be signed for installation to proceed).

See last few paragraphs of:
   http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconstrongnamescenario.asp

 - Michel Gallant
   MVP Security
   JavaScience Consulting
   http://pages.istar.ca/~neutron
 

Crirus wrote:

ok, and a strong name is a form of a certified like VeriSign for SSL sites? I mean, I have to pay in order to aquire a public key?
"Mike Shaw [MS]" <mikeshaw@online.microsoft.com> wrote in message news:ez2UJ9P0CHA.2288@TK2MSFTNGP09...Hi Crirus The SDK documentation is a good place to start on the process of signing an assembly with a Strong Name: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconworkingwithstrongly-namedassemblies.asp Briefly (and not completely), a Strong Name is an 'unspoofable' name created using a digital signature technique.  The properties of a Strong Name include the Public Key portion of the signing key, the assembly name and its version.  It is a required property for an assembly to be added to the Global Assembly Cache, allowing a unique name to be identified for each assembly. A Strong Name represents a 'namespace' - the public key forming a common property that can be shared by all assemblies signed by the same keypair.  Combined with a LinkDemand or InheritanceDemand, it is possible to restrict access to an assemblies interfaces, properties, methods and classes, to those calling assemblies with a given strong name. A word of caution:  By default, a strong named assembly requires its callers to have Full Trust.  For partially trusted assemblies to call the strong named assembly, the strong named assembly must be marked with the AllowPartiallyTrustedCallers assembly attribute.  See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/V1securitychanges.asp for more info.
--
Mike Shaw
.NET Developer Group, UK This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2002 Microsoft Corporation. All rights reserved.
"Crirus" <Crirus@datagroup.ro> wrote in message news:OYofk4M0CHA.1712@TK2MSFTNGP10...What is that and how can I buid a assembly with strong name? Crirus


Relevant Pages

  • Re: Strong name
    ... if there is no verification on trust what is good for such string name? ... A strong name signature does NOT involve a trust relationship in the same was as ... I have to pay in order to aquire a public key? ...
    (microsoft.public.dotnet.security)
  • Re: Digital signatures
    ... keys you want to sign but don't want your signature to be exported ... You do have the ability to assign trust and build upon trust ... verification that I am the John Doe you wish to do business with, ... verify signatures made by keys I don't trust (or have a trust path ...
    (Fedora)
  • Re: Strong name
    ... A strong name signature does NOT involve a trust relationship in the same was as ... verification of an Authenticode signature does. ... You could generate keys for signing with ... No "issuer" trust is involved in strong-name sig.verification. ...
    (microsoft.public.dotnet.security)
  • Re: OT: More about GPG signing
    ... Because there's no web of trust involving people that both you and the ... It establishes identity the identity associated with the signature. ... Ralf had been signing his emails for the last 2 years, ... signatures as they are unobtrusive but available for verification by ...
    (Debian-User)
  • Re: Public-key CD-KEY protocol (comments welcomed)
    ... The truncation makes verification impossible without ... Anything short of the full PK signature cannot be verified. ... > a) If this is the first connection: ... > client, that records it. ...
    (sci.crypt)