Code Access Security and Authenticode

From: Chris B (ChrisB_at_discussions.microsoft.com)
Date: 06/18/05

• Next message: Paul: "Re: Authentication? Forms without Anynymous access"
• Previous message: Scott Gauthier: "CAS and Office Development."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 17 Jun 2005 15:17:03 -0700

I have and .NET application that has approx 40 assemblies. I use signcode
and a VeriSign digital certificate to sign all the assemblies. I deploy the
application as a SmartClient - i.e. all the assemblies are on a server. A
client machine with the .NET framework runs the main assembly.

Of course, this is the point where Code Access Security comes in. My
application requires special Code Access Security on the client's machine.
So if the client has not done so once, she must run a CAS installer program
that I wrote to set the appropriate .NET Code Access Security. The installer
basically does the following:

1. Creates a new Machine level Code Group
2. Makes the membership condition "Publisher" and uses the digital signature
my assemblies.
3. Assign appropriate permissions if the membership conditions are met.

So far so good. Everything works.

However...

The digital certificate for some reason expires after one year. When the
certificate expires will signcode.exe not let me sign assembies with it? If
signcode does let me sign with an expired certificate, then will CAS still
honor the digital certificate?

I'm asking because it would be a major pain to require my users every year
to re-setup their client-side CAS. As far a Versign has confirmed to me,
when I renew the certificate, I will get an entirely new private and public
key.

I know I can setup the CAS with the strong-names of each of my assemblies,
but I think it would be less elegant to setup 40 CAS Code Groups for this.

The digital signature seems to be the most elegant way (and has been),
except for this one terribly annoying expiration date.

Any guidance or suggestions to solve my problem welcome.

TIA

---

• Next message: Paul: "Re: Authentication? Forms without Anynymous access"
• Previous message: Scott Gauthier: "CAS and Office Development."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Code Access Security ... DLL as that will make it a better .NET citizen. ... can safely ignore CAS as all permission demands will be granted. ... > Is there any benefit to consider code access security inside assemblies? ... (microsoft.public.dotnet.framework.aspnet.security) Re: CAS & GAC: connection? ... > apply with CAS and the GAC: ... assemblies will have full trust, and most assemblies in the GAC are locally ... (microsoft.public.dotnet.security) Thanks, and One Final Question ... your assemblies and other model parameters." ... assembly that needs execute and file IO permissions will ... this is correct way to use Code Access Security ... (microsoft.public.dotnet.security) Re: can you put a strong name assembly in a role? ... I hadn't fully thought out the CAS model since it ... > credentials under a similar COM+ app? ... all fully trusted assemblies will automatically pass such ... >> privileges in a SQL Server table. ... (microsoft.public.dotnet.security) Re: Help me to undersand ??? ... I have default settings under CAS, it means that I get Unrestricted already ... First of all when you apply security for a file/folder with with Windows ... Then for assemblies, ... (microsoft.public.dotnet.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.security  > 2005-06