Comparison with Authenticode Signatures

for RuBoard

Authenticode signatures are another mechanism used for digitally signing files in the Windows environment (and, indeed, their use is still supported in the .NET Framework). The following section briefly outlines the chief similarities and differences of the two concepts and can be safely skipped by any reader not familiar with the concept of Authenticode.

In many ways, strong names and Authenticode certificates are alike ”both seek to establish publisher identity and base part of their implementation on public/private key pair cryptography and digital signing. But there are significant differences as well.

Authenticode certificates are not considered part of the assembly name, so they play no role in separating publisher namespaces. Strong names accomplish this by submitting the publisher public key as a name component.

Strong names don't use a third-party (such as Verisign ) as part of the signing and verification algorithm. This has a number of ramifications :

  • Strong names are lighter weight. The implementation is simpler, the process involved is less complex, and, at the low level, code can avoid making network connections during verification.

  • There is no automatic means to associate a strong name public key with the corresponding publisher. The publisher must advertise its public key or keys in an out-of- band fashion (such as documentation shipped with the product or on the company Web site).

  • No means exist to revoke the use of a given strong name public key should the corresponding private key be found to be compromised. Again, publishers must take steps themselves to inform their users of the breach of security and issue new assemblies signed with an updated key pair.

Strong name verification never results in a display of a graphical user interface requiring the user to make a trust decision. All mappings from publisher public key to trust levels are made ahead of time in the security policy database. Assemblies that are not self-consistent (in other words, the signature doesn't verify with the embedded public key) are never loaded (modulo delay signed assemblies that are registered to have their verification skipped).

for RuBoard


. NET Framework Security
.NET Framework Security
ISBN: 067232184X
EAN: 2147483647
Year: 2000
Pages: 235

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net