Re: Strong name

From: Michel Gallant (MVP) (neutron@istar.ca)
Date: 02/12/03


Date: Wed, 12 Feb 2003 08:43:29 -0500
From: "Michel Gallant (MVP)" <neutron@istar.ca>


Strong Name uses a hash value of all components, to guarantee none have been
tampered with in any way. So it is basically integrity verification of assembly components.
To learn more, search MSDN for "Strong Name". There are not too many hits, yet :-)

 - Mitch

Crirus wrote:

 But, if there is no verification on trust what is good for such string name? Only for uniqueness?
"Michel Gallant (MVP)" <neutron@istar.ca> wrote in message news:3E4910CD.E282C68F@istar.ca...No. A strong name signature does NOT involve a trust relationship in the same was as
verification of an Authenticode signature does. You could generate keys for signing with
a strong name using sn.exe and use that to generate your strong name. Only the public key
itself is used to verify the signature. No "issuer" trust is involved in strong-name sig.verification.

*Authenticode* signatures on the assembly itself (embedded signature within the PE assembly) addresses
the issue of trust from a certificate/key issuer. This trust verification process uses the native Authenticode
security infrastructure on any windows OS, and operates outside of .net also (e.g. cab installers are usually
required to be signed for installation to proceed).

See last few paragraphs of:
   http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconstrongnamescenario.asp

 - Michel Gallant
   MVP Security
   JavaScience Consulting
   http://pages.istar.ca/~neutron
 

Crirus wrote:

ok, and a strong name is a form of a certified like VeriSign for SSL sites? I mean, I have to pay in order to aquire a public key?
"Mike Shaw [MS]" <mikeshaw@online.microsoft.com> wrote in message news:ez2UJ9P0CHA.2288@TK2MSFTNGP09...Hi Crirus The SDK documentation is a good place to start on the process of signing an assembly with a Strong Name: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconworkingwithstrongly-namedassemblies.asp Briefly (and not completely), a Strong Name is an 'unspoofable' name created using a digital signature technique.  The properties of a Strong Name include the Public Key portion of the signing key, the assembly name and its version.  It is a required property for an assembly to be added to the Global Assembly Cache, allowing a unique name to be identified for each assembly. A Strong Name represents a 'namespace' - the public key forming a common property that can be shared by all assemblies signed by the same keypair.  Combined with a LinkDemand or InheritanceDemand, it is possible to restrict access to an assemblies interfaces, properties, methods and classes, to those calling assemblies with a given strong name. A word of caution:  By default, a strong named assembly requires its callers to have Full Trust.  For partially trusted assemblies to call the strong named assembly, the strong named assembly must be marked with the AllowPartiallyTrustedCallers assembly attribute.  See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/V1securitychanges.asp for more info.
--
Mike Shaw
.NET Developer Group, UK This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2002 Microsoft Corporation. All rights reserved.
"Crirus" <Crirus@datagroup.ro> wrote in message news:OYofk4M0CHA.1712@TK2MSFTNGP10...What is that and how can I buid a assembly with strong name? Crirus