Re: What is .Net?

> Thank you for taking the time to give me your explination. I appreciate
it
> very mcuh
>
The hardest part was understanding this security thing.
You have a policy and you have permissions.

Permissions are intended for the programmer to tell what this program is
allowed to do: E.g. allow network access.
Policies are intended for the computer user/administrator to decide what the
program running on his machine is allowed to do: E.g. access to nework.

The system is built in such a way that you have minimum, required and
optional permissions.
In a lot of cases these are definded the assembly.cs file. But if for
example only one function needs Internet acces and the rest of the librarie
doesn't then you can dynamically change the permission on the fly to give
this part access to Internet.

Important to know is that both the permission and policy must be satified or
the program won't run. A typical example is that of a pure .NET program
created in C#, that crashes when you double click on it when it is executed
from a shared network drive and it doesn't crash if you copy it local to the
C: drive and start if from there: reason : not enough security rights.

In my opninion, Microsoft could have created a more user-friendly default
error message, because the error you get now scares the hell out of even the
most hardened programmers. A simple dualog box telling that this program
does not have enough security rights to run and please contact your
administrator would be preferable. On that dialog box might also be a
details button to give details what is loaded and what is not. This should
be standard in the .NET framework because beginning programmers will
guarantee get into trouble like this.

Now what about trusting a program coming from one vendor and not all other
vendors?
Well you can sign your program and libraries (dll's) with a key you
generated on the fly. The .NET configuration can be configured to trust all
programs with this key, to the maximum. So you can reuse that key for all
your programs, it is free to generate that key. But of course you must never
ship that key to anyone or else they can imporsenate your software for
malware.

Now comes the final part, how the hell can you configure the .NET framework
to trust that key without having the user to go through the administrator
hell of setting the .NET policies. Suprisingly simple, you create a dll that
configures the key to be trusted, but the pitfall is that ONLY the setup can
execute that part of the code since the setup is not a .NET program and have
unrstricted access to the NET configuration tools. The reasoning is simple
that if you start an installer, then the .NET assumes that you know what you
are doing and that this software can be trusted, or else you won't install
it.

Although I am basically a low level programmer (C++/assembler) I do see a
big future for .NET applications if only Microsoft forces it to be installed
on all PC's. My company still creates none-.NET programs because
administrators simply refuse to install the .NET framework because of some
emotional based assumption that is completely incorrect. I need the extended
functionality of the .NET to create code faster, but I am forced to use the
MFC stuff and create everything myself because of the scare of the .NET
framework slowing me down dramatically. :-(

I hope this helps? :-)


.