ClickOnce Escalation Prompting

re: ClickOnce Escalation Prompting

adam — Mon, 24 Jan 2005 07:48:00 GMT

Did i miss something here?

is there now a $200 barrier for distributing any actually useful application if i want use .net? There goes use of ClickOnce in schools, for quick development projects, some open source ,etc.?

tell me i misunderstand.

<this gets back to the DRM argument...we're giving people what they don't actually want>

re: ClickOnce Escalation Prompting

Nektar — Mon, 24 Jan 2005 09:02:00 GMT

Don't Activex control have to be signed as well? If they are not they do not run. And yet they are called insecure by everyone. Why? They have to be signed and yet they cause so much trouble. Won't the same thing happen with Click Once ?
Why don't you create a blacklist of Activex controls containing the signatures of those persons whose activex is insecure and malitious and then push this blacklist to all Windows users through autoupdate. I thought that this is why digital signatures are for. To allow identification of malitious individuals and to block them successfully.

re: ClickOnce Escalation Prompting

Denny — Mon, 24 Jan 2005 10:03:00 GMT

well if the $200 is for verisign thats a problem.... other ca's are out there who can grant an authenticode cert for less $$$

re: ClickOnce Escalation Prompting

Mike Dimmick — Mon, 24 Jan 2005 11:32:00 GMT

Authenticode signing isn't necessarily that helpful. Well-known spyware like Comet Cursor and Gator are signed by their authors. There's no reason to suppose that their ClickOnce applications will be any different.

Authenticode provides verification of authenticity and verification of origin (assuming that no-one's stolen the code-signing private key and that VeriSign have correctly verified the applicant's identity). It should have very little role in trust decisions. It might inform a trust decision, slightly.

re: ClickOnce Escalation Prompting

ZippyV — Mon, 24 Jan 2005 16:31:00 GMT

Hello Sampy,
I have a question: Is it possible to block a certificate permanently?

re: ClickOnce Escalation Prompting

Sampy — Mon, 24 Jan 2005 18:48:00 GMT

adam: We're working on the price barrier issue. You'll still be able to run applications that run in the sandbox (the internet zone) but we have to draw the line somewhere and I think that this is the right security decision. There are ways other than getting a $200 cert to have the user trust your certificate but they are not automatic and require a little more work. We'll have better guidance after we ship.

Nektar: Microsoft deciding who is "bad" is a tough call. Also, we aren't in the business of revoking certs as we don't issue them; that's something the CA's have to do. There are fundimental differences between ClickOnce and ActiveX so comparing how they block unsigned applications is a little misleading. ClickOnce is built on the .Net security model which offers much more in the way of protection than the ActiveX model.

MikeD: Signing doesn't get you running without a prompt, just gets you past a total block. You are right in this case: it informs the trust decision.

ZippyV: Yes. There is an untrusted certificate store that you can put a cert in and then it will be untrusted.

re: ClickOnce Escalation Prompting

AT — Mon, 24 Jan 2005 20:01:00 GMT

I've a question:
Why do you think is 200USD/year ?

I believe it's a one-time 200USD cost.
Currently Microsoft does not check expire date for all thouse digitaly signed images.

Once you have valid certificate - you can sign all your future images like they were signed today (valid day for certificate).

AFAIK, There is no any reliable timestamp source requered for image signing.

Correct me if I'm wrong.

re: ClickOnce Escalation Prompting

Sampy — Mon, 24 Jan 2005 21:01:00 GMT

Your cert can only be used to sign within a year but it still validly represents you for longer as long as you timestamp when you sign.

Denny: Sorry I missed you there. You need a certificate specified to be Code Signing to use it in ClickOnce for Beta 2.

re: ClickOnce Escalation Prompting

AndyC — Mon, 24 Jan 2005 21:44:00 GMT

Doesn't this slightly miss the point of the original article though? Namely, what stops a developer (who has properly obtained his certificate) from always requesting full permissions, rather than the specific subset actually needed?

Isn't this just setting everyone up for a "you must run as admin" situation again? I can't help but feel there should be some sort of feedback that's proportional to the amount of access your giving the code. Quite how that can work without confusing end users is a thorny problem though...

re: ClickOnce Escalation Prompting

Sampy — Mon, 24 Jan 2005 22:01:00 GMT

AndyC: Good guidance and easy to use permission calculating tools (integrated with VS) are what works here. Unfortunatly, we can't (and shouldn't) force developers to run with minimum permissions but the easier we make it the better.

Check out the dialogs using a community tech preview or a Beta release. If you don't like them give us feedback.

The sandbox and limited permissions are going to be a lot more viable and interesting in Longhorn.

Mike Sampson - ClickOnce team does have a clue, thank you very much

Managed Space — Tue, 25 Jan 2005 09:38:00 GMT

Rev’s Thought Dump » Blog Archive » ClickOnce as an install prepatcher

Rev’s Thought Dump » Blog Archive » ClickOnce as an install prepatcher — Tue, 11 Jul 2006 08:43:05 GMT

PingBack from http://www.revfry.com/2006/07/10/clickonce-as-an-install-prepatcher/