R
Reinhold Schalk
Hello,
somewhere i've read that using strong names does assure two things:
1. Assure that the content of the assembly is not modified (that's ok in my
opinion)
2. Assure that the assembly is really from the "fabricator" (?)
If these two point are correct (i'm not sure), i have a problem with point
2.
To assure the authentity of the fabricator, the public key (which is a part
of the manifest) has to be checked against a certificate.
Is this really done? If yes, who does this? And what about the SN.EXE
Tool - it's possible to generate a lot of keypairs (for testing).
Certainly in a PKI a company would have a public - private key pair an would
probably use delayed signing.
But how can a client computer really check, whether the installed assembly
is really from this company (checking the public key).
I'm a little bit confused.
Perhaps someone can help me.
Thank in advance.
Reinhold
somewhere i've read that using strong names does assure two things:
1. Assure that the content of the assembly is not modified (that's ok in my
opinion)
2. Assure that the assembly is really from the "fabricator" (?)
If these two point are correct (i'm not sure), i have a problem with point
2.
To assure the authentity of the fabricator, the public key (which is a part
of the manifest) has to be checked against a certificate.
Is this really done? If yes, who does this? And what about the SN.EXE
Tool - it's possible to generate a lot of keypairs (for testing).
Certainly in a PKI a company would have a public - private key pair an would
probably use delayed signing.
But how can a client computer really check, whether the installed assembly
is really from this company (checking the public key).
I'm a little bit confused.
Perhaps someone can help me.
Thank in advance.
Reinhold