Re: Code signing (signcode versus strong name)?

From: Michel Gallant (neutron_at_istar.ca)
Date: 04/22/04 

Date: Thu, 22 Apr 2004 08:22:22 -0400

It really depends on how much security-control you have over
managing the strong-name keypairs, and how big your enterprise is,
and how it is logically and development-wise structured.

Generally, I would say it is best to keep the number of strong-name
keypairs to an absolute minimum.

- Mitch Gallant
   MVP Security

"FLO" <floriz@web.de> wrote in message news:OxFaPgFKEHA.3216@tk2msftngp13.phx.gbl...
> Yes, I am german.
> Now I understood the difference, but am nevertheless interested in the
> article.
> Still I have one (maybe easy) questions concerning this topic:
>
> - How many keys to use for strong names?
> One per application, or is it better to use one key for the whole company?
> I guess one per application, except that the same .dll-binaries are used
> in multiple applications.
>
> Thank you
>
> Florian
> P.S.: Sorry for my late response... just got back from holidays.
>
> Michael Willers wrote:
>
> > "FLO" <floriz@web.de> wrote
> >
> >>What is the difference between the following two ways of signing
> >>.net-applications?[...]
> >
> >
> > A strong name provides code integrity via public key encryption. if your
> > code was manipulated by someone else (e.g. with a hex editor) the clr will
> > detect this and will not load this assembly. So malicous code will not not
> > run on your system. But a strong name will not give you any information
> > about the publisher.
> >
> > Authenticode provides code identity. Your code will be signed with a
> > certificate and the purpose of a certificate is to bind a public key to a
> > specific person or company.
> > So it identifies the publisher of the code.
> >
> > Hope that helps
> > Michael
> >
> > P.S.: Your name sounds very german. I wrote an article about this topic for
> > the next issue of the geman developer magazine dotnetpro. Let me know if you
> > are interested.
> >
> >

Quantcast