Re: sn.exe -Vr assembly

From: Nicole Calinoiu (calinoiu)
Date: 01/27/05 

Date: Thu, 27 Jan 2005 09:22:20 -0500

Personally, I'd argue that much of security is about reducing/mitigating
risk due to inherent lack of trustworthiness, but that's going off on a bit
of a tangent...

Of course all bets are off when you can't trust the people doing the work.
If you take as a given that it can be impossible to trust any single person
to perform certain types of work, then there's a really big problem if
you're using a single-auth system. For example, would you trust Verisign's
certs if you believed that any single employee could issue a certificate
without processes that involved verification by other humans? Would it
matter to you whether that employee was a clerk, a systems admin, or the
CEO?

"Michel Gallant" <neutron@istar.ca> wrote in message
news:e7IR3MHBFHA.2032@tk2msftngp13.phx.gbl...
> Much of security is ALL about trust. Technology is such a small
> part of it. You don't trust people developing/deploying your web apps
> infrastructure? all bets are off!
> Don't trust Verisign's ability to verify clients purchasing code-signing
> certificates? or SSL certs?
> Then never trust any signed or SSL sites again, of signed cab software
> updated blahhh ...
>
> - Mitch Gallant
> MVP Security
>
> "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
> news:uWoOeAHBFHA.2788@TK2MSFTNGP15.phx.gbl...
>> ""Shawn Farkas [MS]"" <shawnfa@online.microsoft.com> wrote in message
>> news:getjnEzAFHA.3048@cpmsftngxa10.phx.gbl...
>> > What this boils down to is that if you need to be sure that your exact
>> > code
>> > is being run, then you need to retain control over that code. One
>> > really
>> > easy way to do that with .Net is to wrap your assembly in a web
>> > service,
>> > and only ship to your clients the code that calls the web service.
>>
>> And what if you can't trust the folks who administer the web service
>> environment? <gdr>
>>
>
>

Relevant Pages