Re: No-touch deployment, digital certificates and Code Access Security

From: Michel Gallant (neutron_at_istar.ca)
Date: 05/21/04 

Date: Fri, 21 May 2004 10:59:04 -0400

"Maz" <anonymous@discussions.microsoft.com> wrote in message
news:3E3B96AC-278B-4290-91DF-B2C42FA37889@microsoft.com...
> I want to deploy a .NET windows application via my company intranet url. I am concerned that if,
for example, my app. contains code requiring it to write to the user's file system, under the Code
Access Security / Runtime Security Policy (see CasPol.EXE) an exception would be generated. This
would be because the Permission Set assigned to .NET applications launched from an Intranet url
prohibit writing to the user's file system by default.
>
> I have approached someone in my company who says a way around this security is to get my code
signed with a digital certificate by another group within my company. This is fine,no problem.
>
> The key question is this.
>
> Once that code is signed, when a user launches the app from the intranet url, does the presence of
the digital certificate basically say "this code is writing to the user's file system and because
it's digitally certified it is okay" and the app. launches without generating an exception
>
> OR
>
> must my company FIRST PUT IN PLACE A SECURITY POLICY at the Enterprise or Machine level saying
grant the Full Trust permission set to any code signed with such a certificate.
>

Yes to second. The local security policy on the client must be updated to know about the "CAS"
policy usually through deployment of a custom child group.
However, next release of .NET will support somewhat easier (and potentially transient) security
policy via "ClickOnce" functionality.

- Mitch Gallant
   www.jensign.com