Identity permissions check code identity based on evidence about the application code and provide reliable information about the identity of managed code. Just as other permissions describe protected operations on resources that are used to make security decisions, identity permissions describe code identities upon which security decisions can be made. Supported forms of code identity are:
Identity permissions should only be used to infer additional trust when satisfied – it is not recommended to use an identity check as a basis to disallow an operation when the identity matches. Use of positive identity checks to reduce access to specific entities are easily defeated by hiding of evidence, which can be accomplished in a variety of ways. Examples include: checking for a certain software publisher (may hide identity by not signing), or a certain web site (may hide by use of another server address), and so forth.