[Mono-dev] Mono.Security + SecureString

Sebastien Pouliot sebastien.pouliot at gmail.com
Wed Dec 12 08:27:13 EST 2007 

Hey,

On Wed, 2007-12-12 at 12:59 +0000, Alan McGovern wrote:
> It'd break API compatibility, therefore it's a no-go.

Dude, you're too quick on the Send button. 

In doubt, which you should be wrt Mono.Security, please let other people
answers the questions.

> Alan.
> 
> On Dec 12, 2007 12:55 PM, Vladimir Giszpenc <vgiszpenc at dsci.com>
> wrote: 
>         Hi,
>         
>         As you know, in .Net Framework 2.0 Microsoft added the
>         SecureString class to
>         keep passwords and other private data hidden.  They did not
>         add SecureString
>         to the hashing or encryption/decryption providers to allow
>         developers to
>         take advantage of this new class.  Mono does not use it in
>         PKCS12 or 
>         anywhere else it could.  It would be great if Mono took the
>         lead and made
>         touching private data a thing of the past.  

Yes, I filled a bug (a while ago) with MS to update their API wrt to
SecureString. Sadly no action was taken, so many parts of the FX don't
yet gain the advantages of SecureString.

>         I could list a few places where
>         password is accepted, but I am sure the security gurus know
>         these classes 
>         way better than I do.

I don't like the current SecureString code much (even if I wrote it). It
was meant as temporary (at least when I completed it) since parts of it
should be moved, IMO, into the runtime (and optionally not compiled in
for small embedded systems).

>         
>         I realize that this is an enhancement request, but security
>         helps to sell
>         technology.  It would be nice to be able to say that Mono is
>         more secure
>         than .Net (or Java).

Please fill a bug (priority Enhancement) in bugzilla.novell.com so your
idea doesn't get lost in the mailing-list (and/or in my mind).

>         Thanks, 
>         
>         Vlad
>         
>         _______________________________________________
>         Mono-devel-list mailing list
>         Mono-devel-list at lists.ximian.com
>         http://lists.ximian.com/mailman/listinfo/mono-devel-list
>         
> 
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list

More information about the Mono-devel-list mailing list