With the release of a new version of .NET 2.0 in November, 2005, the question can be raised, What new security features and what new security holes have been introduced? Let's focus on new features. .NET Security Blog, run by Shawn Farkas, is one of my must read blogs on security and his coverage is spot on.
In a recent post, Enveloped PKCS #7 Signatures, Shawn covers the the implementation and usage of PKCS #7 messages, now as a feature of .NET 2.0. Take some time to read that post as the coverage there is good and there is little in the way of detail that I can add.
I do think that there is one important consideration that was left unmentioned. If during applications development, there is a requirement for the usage of PKCS #7 from within .NET, there previously were really only a few alternatives:
- Write a custom implementation.
- Perform calls into CAPI.
- Use some other library like Bouncy Castle.
- Some other alternative I haven't considered.
This changes the landscape for hardening of PKCS #7 messages in .NET. Those that choose to implement using these new features in .NET 2.0 will put themselves under the umbrella of that code. The upside is that implementations in applications are more concise and are based on standard .NET classes. This means that while the overall responsibility of security of an application that implements PKCS #7 does not change in requirements, the amount of code that is needed is less, i.e. less application code to harden. Additionally, this also means that the responsibility of fitness and hardening of these classes lays on the shoulders of the .NET security teams. Their code will be "put to the test" in the field. For hardening, the greater the number of instances in the field, the greater the likelihood that if weaknesses are to be found, those that engage in "breaking activities" will find them. Given the track record of security teams at Microsoft, I'm comfortable knowing that this both simplifies any application work and provides for a better, stronger code base over time.
Nice post and good work by the Microsoft security teams.
The other day, I mentioned that the Labrary went quiet. All servers and workstations were shutdown, or as one of my friends would say, optionsScalper=shutdown. Without my toys, I am nothing. I am defined solely by the CPU time across these machines. NOT.
Well, suffice it to say, that later that evening, optionsScalper=up. Everything restarted and I have a few more development boxes and other stuff running. Ahhhhhhhhhhhhhhhh.
BTW, the Labrary, now without the presence of a few dual Xeon rackmount servers, is significantly quieter and no longer running has a room temperature 88+ degrees F (31+ C). Note that in the cold Wisconsin winter, opening the Labrary window provided for virtually no relief in temperatures in the presence of those servers.
Back at it . . .