Geeks With Blogs
Sasha Krsmanovic Canadian Developer Community Update

Dan Sellers just finished the second web cast in his security web cast series, featuring Mike Downen, a Security PM on Common Language Runtime team. Another great web cast with over 200 attendees again. Lots of questions, and I captured some of them below. If you want to listen to the web cast, it will be available at


Question: In Windows.Forms, do TextBox used for password input support the SecureString?

Answer: No, that's a good question. Winforms doesn't support SecureString yet. But there is a control available that Dan will demo shortly that does use a SecureString.


Question: Is SecureString available for use by unmanaged code (e.g. COM interface)?

Answer: No, the SecureString class is not visible to COM.


Question: The signature applies to encrypted content only or entire XML document?

Answer: The signature can apply to any part of the XML document you want -- just the encrypted part or the entire doc.


Question: Can this be used with a Web Service to encrypt a portion of the message? This is for non-document calls.

Answer: You can encrypt portions of a web service message, but you would use the WSE 3.0 extensions classes to that, or the WCF (Windows Communication Framework aka Indigo) classes to do the encryption, since they have support built in, rather than these general purpose classes.


Question: For LARGE encrypted content, would this work with the XmlTextWriter?

Answer: No, you have to use the DOM classes (XmlDocument, etc) with the XML Encryption and XML Signature classes.


Question: what is stopping someone to get hold of the xml file and decrypt the document?

Answer: They would have to have access to the private key used to encrypt the content or session key. The private key is not transmitted with the document.


Question: how do you store the private key?

Answer: Generally, for Windows computers, you would use key containers to safely store the private key. You can use certificates or smart cards to distribute the private key.


Question: How does the recipient get the private key?

Answer: You would have to transmit it to them separately from the message. Generally for Windows, you'd do this using certificates or smart cards.

Posted on Wednesday, March 8, 2006 11:11 AM | Back to top

Comments on this post: Security on the Brain Web Cast #2

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Sasha Krsmanovic | Powered by: