Hi all,

I have a few questions about restricting who may call an assembly i'm
building.

First, I have a business assembly on a web server, with Serializable
objects that use remoting to move themselves to a data server (which
also has a copy of the business layer, and a data layer assembly as
well).  Assuming this assembly is strongly named, do i need to worry
about someone comprimising the web server, decompling my business
assembly and then making calls via remoting to the data server?  I know
the public key token is part of the version number of the assembly, but
i've also heard that the token itself could be applied to a rogue
assembly?

Second, is it possible to force that a caller of my assembly be signed
with certain public keys?  Would adding such a restriction work, or
would it be too easy to fake a public key (from a dotnet or com
assembly)?

Thanks
Andy

Show quote Hide quote Any sort of code signing is essentially useless for identifying calling code
in a remoting scenario.  See the thread at
http://groups.google.com/group/microsoft.public.dotnet.security/browse_frm/thread/ffbba47b0422fa94/
for a previous discussion of the same topic.



How easy it might be to fake or bypass such a protection depends very much
on the runtime environment.  Is this still for the remoting scenario, or did
you have some other runtime scenario in mind for this question?

WindowsPrincipal in a component used in classic ASP always returns the same identity
Refresh .Net Framework policy
Encrypting Logon Passwords
File Permission System.UnauthorizedAccessException
HttpWebRequest & https
Are .NET Caches Secure from Memory Dumps etc?
Failure Audit errors on device name
Windows service and Certificate
FREE New Indian oil for men!
FREE New Indian oil for men!