On Sun, 2 Jun 2002 17:38:38 +0100, Ian Griffiths <[EMAIL PROTECTED]> wrote:
>> Ian Griffiths <[EMAIL PROTECTED]> wrote: >> >> >By default a strongly-named assembly can only be called by >> > full-trusted callers. I think this is intended as a 'secure by >> > default' setting, because it should reduce the chances of >> > someone being able to use the luring attack >> > on such an assembly. >> >> Why are they equating strongly named with trusted or secure? > >I think the real question is: why don't they apply this policy to *all* >components, not just strongly-named ones? Yes, the change would be less objectionable if it applied to all components. As it currently stands, they have broken one of the golden rules of system design - "Orthogonally". Strong-named assemblies and Trusted assemblies should be completely orthogonal concepts. We can only hope to understand complex systems such as DOTNET if seemly independent concepts can be understood in isolation. I also don't completely understand the lurking attack that you refer to. If the referenced strongly named assembly tries to perform some privileged operation, then the security system will walk the stack and ensure that all callers have appropriate privilege (unless one of then has asserted that privilege - in which case it was a conscious decision). >> >But if you want your strongly-named assembly to be callable >> > by partially trusted callers, just apply the >> > AllowPartiallyTrustedCallersAttribute to your assembly: >> > >> >[assembly:AllowPartiallyTrustedCallersAttribute] >> >> Thanks for work around. > >It's not a work around. It's the way to do it. There's a difference - >'work around' implies that this is a bug in the first place, which it isn't. It is if it isn't documented - especially when a seemly irrelevant change (such as giving an assembly a strong name) breaks what was working code. Cheers, Wayne. You can read messages from the DOTNET archive, unsubscribe from DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
