This is really an issue about communication. I don't think the purpose of CAS has been communicated by Microsoft very well over the years. People hear thats its the .NET security model and assume its all-encompasing, rather than one tool in a suite that wee need to secure our applications and machines from unwanted access. CAS is great because it gives us a tool we didn't have before but its not designed for the purpose you needed.
A|lthough I must admit, I'm not sure how going to C++ is going to help (or hinder for that matter)
Regards
Richard Blewett - DevelopMentor
http://staff.develop.com/richardb/weblog
nntp://news.microsoft.com/microsoft.public.dotnet.languages.csharp/<
[email protected]>
Well, following are some comments from a dis-illusioned developer. We
had meeting with Microsoft last week dealing with topics nearly the same
as the one you are asking about. One of the attendees was a person on
the actual CLR team so he should know what he is talking about. One of
the aspects of CAS we wanted to get detailed about was protecting some
of our dlls from having the customer calling them. Things dealing with
passwords and account setups. We need it as a dll because we have a
suite of applications and they need to share the same code. Basically
the CLR guy told us that there was no way to protect our dlls if they
are installed on the customer machine and he has Administrator
privleges. A determined person could work around any CAS features we
would try to implement. Licensing was really the best way to do the
protection he said. CAS was basically designed to protect the owner of a
machine from external code being accessed not to protect from code
installed on the machine.
This knowledge really floored us. We are having to rethink our design.
Protecting some sub-components are a must for us. At this point we don't
know how to approach it. Might have to go back to good old C++ and the
old fasion ways of doing this protection. Sad, was hoping to relegate
C++ to lower level funtions like drivers.
Sorry if this disillusions you about CAS but that is the state i am in
right now.
Leon Lambert
Chad said:
Before I spend a lot of time reading about something
I might not need to use/worry about, can someone give me
the 5 second take on CAS?
In general, when do I need to worry about it (what type of
apps in what types of environments)?
I'm writing a data access API for a proprietary system. We're
shipping this API to customers who build apps on top of this
API/foundation library.
What, if anything, should I be thinking about in terms of CAS?
Thanks,
Chad
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (
http://www.grisoft.com).
Version: 6.0.766 / Virus Database: 513 - Release Date: 17/09/2004
[microsoft.public.dotnet.languages.csharp]