NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

What is Evidence?

Objects of any type that are recognized by security policy represent evidence. Security policy is composed of code groups; a particular assembly (the basic unit of code for granting security permissions) is a member of a code group if it satisfies its membership condition. Evidence is the set of inputs to policy that membership conditions use to determine what code groups an assembly belongs to.

The Evidence class is a collection (ICollection) that holds a set of objects that represent evidence. (Herein big-e Evidence refers to the class; little-e evidence to objects that represent generic evidence.) The Evidence class holds two sets: host evidence and assembly evidence, corresponding to the source of the evidence.

Sources of evidence

Policy can get evidence from two different sources in evaluating permissions for code.

Host evidence is provided by the host, and can only be provided by hosts granted the SecurityPermission.ControlEvidence permission. Typically, this is evidence of location of origin of the code and digital signatures on the assembly.

Evidence about location origin typically includes URL, Site, and Zone evidence. Signatures refer to software publisher (AuthentiCode™) and strong name identities. Both kinds of digital signature based identity are built into the assembly, but must be validated and passed to policy by the host; when loaded the security system verifies the signature and only if it is valid will the corresponding evidence be collected and passed to policy.

Assembly evidence is part of the assembly itself. Developers or administrators can attach custom evidence to the assembly to extend the set of evidence for policy. See the section Extending evidence for additional details. (Note that signed assemblies may not be modified, and hence cannot have additional evidence added without breaking the existing signature.)

Evidence and identity permissions

Some – but not all – evidence types have associated identity permissions. Both the evidence object itself and the corresponding identity permission for it contain essentially the same information, but there is a subtle semantic distinction.

Parenthetically, also note that the related membership condition is described as well for completeness.