Re: [Mono-dev] Mono.Security + SecureString
It'd break API compatibility, therefore it's a no-go. Alan. On Dec 12, 2007 12:55 PM, Vladimir Giszpenc [EMAIL PROTECTED] wrote: Hi, As you know, in .Net Framework 2.0 Microsoft added the SecureString class to keep passwords and other private data hidden. They did not add SecureString to the hashing or encryption/decryption providers to allow developers to take advantage of this new class. Mono does not use it in PKCS12 or anywhere else it could. It would be great if Mono took the lead and made touching private data a thing of the past. I could list a few places where password is accepted, but I am sure the security gurus know these classes way better than I do. I realize that this is an enhancement request, but security helps to sell technology. It would be nice to be able to say that Mono is more secure than .Net (or Java). Thanks, Vlad ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
[Mono-dev] Mono.Security + SecureString
Hi, As you know, in .Net Framework 2.0 Microsoft added the SecureString class to keep passwords and other private data hidden. They did not add SecureString to the hashing or encryption/decryption providers to allow developers to take advantage of this new class. Mono does not use it in PKCS12 or anywhere else it could. It would be great if Mono took the lead and made touching private data a thing of the past. I could list a few places where password is accepted, but I am sure the security gurus know these classes way better than I do. I realize that this is an enhancement request, but security helps to sell technology. It would be nice to be able to say that Mono is more secure than .Net (or Java). Thanks, Vlad smime.p7s Description: S/MIME cryptographic signature ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
Re: [Mono-dev] Mono.Security + SecureString
Hey, On Wed, 2007-12-12 at 12:59 +, Alan McGovern wrote: It'd break API compatibility, therefore it's a no-go. Dude, you're too quick on the Send button. In doubt, which you should be wrt Mono.Security, please let other people answers the questions. Alan. On Dec 12, 2007 12:55 PM, Vladimir Giszpenc [EMAIL PROTECTED] wrote: Hi, As you know, in .Net Framework 2.0 Microsoft added the SecureString class to keep passwords and other private data hidden. They did not add SecureString to the hashing or encryption/decryption providers to allow developers to take advantage of this new class. Mono does not use it in PKCS12 or anywhere else it could. It would be great if Mono took the lead and made touching private data a thing of the past. Yes, I filled a bug (a while ago) with MS to update their API wrt to SecureString. Sadly no action was taken, so many parts of the FX don't yet gain the advantages of SecureString. I could list a few places where password is accepted, but I am sure the security gurus know these classes way better than I do. I don't like the current SecureString code much (even if I wrote it). It was meant as temporary (at least when I completed it) since parts of it should be moved, IMO, into the runtime (and optionally not compiled in for small embedded systems). I realize that this is an enhancement request, but security helps to sell technology. It would be nice to be able to say that Mono is more secure than .Net (or Java). Please fill a bug (priority Enhancement) in bugzilla.novell.com so your idea doesn't get lost in the mailing-list (and/or in my mind). Thanks, Vlad ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
Re: [Mono-dev] Mono.Security + SecureString
On Wed, 2007-12-12 at 12:59 +, Alan McGovern wrote: It'd break API compatibility, therefore it's a no-go. Be more imaginative than that. :-) It need not be actual new methods on the existing classes, but instead extension methods in a different assembly. It might also be possible to make the Mono runtime assemblies (mscorlib.dll, etc.) friend assemblies of some Mono helper assemblies; this would permit more efficient passing of data between the standardized assemblies and the Mono extensions w/o using Reflection. This would be visible to external code -- new attributes on e.g. mscorlib.dll -- but I'm not sure that this would actually break compatibility in any meaningful way (unless having added attributes breaks compatibility, in which case every [MonoTODO] needs to be removed!). Certainly, this would make any such extension methods tied to Mono, but it would also provide ways to try out new API designed before suggesting them for standardization, in a way that won't break compatibility for most users. - Jon ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list