add security warning on strong names (#6028)

BillWagner · web-flow · commit 1bc764c7a486 · 2018-06-19T13:27:18.000-04:00
* add security warning on strong names Fixes #2803 Add warning that strong names are not a security feature. * add warning per feedback
diff --git a/docs/framework/app-domains/assembly-security-considerations.md b/docs/framework/app-domains/assembly-security-considerations.md
@@ -39,9 +39,13 @@ ms.author: "ronpet"
  At load time, the assembly's evidence is used as input to security policy. Security policy is established by the enterprise and the computer's administrator as well as by user policy settings, and determines the set of permissions that is granted to all managed code when executed. Security policy can be established for the publisher of the assembly (if it has a signing tool generated signature), for the Web site and zone (in Internet Explorer terms) the assembly was downloaded from, or for the assembly's strong name. For example, a computer's administrator can establish security policy that allows all code downloaded from a Web site and signed by a given software company to access a database on a computer, but does not grant access to write to the computer's disk.  
   
 ## Strong-Named Assemblies and Signing Tools  
+
+ > [!WARNING]
+ > Do not rely on strong names for security. They provide a unique identity only.
+
  You can sign an assembly in two different but complementary ways: with a strong name or by using  [SignTool.exe (Sign Tool)](../../../docs/framework/tools/signtool-exe.md). Signing an assembly with a strong name adds public key encryption to the file containing the assembly manifest. Strong name signing helps to verify name uniqueness, prevent name spoofing, and provide callers with some identity when a reference is resolved.  
   
- However, no level of trust is associated with a strong name, which makes [SignTool.exe (Sign Tool)](../../../docs/framework/tools/signtool-exe.md) important. The two signing tools require a publisher to prove its identity to a third-party authority and obtain a certificate. This certificate is then embedded in your file and can be used by an administrator to decide whether to trust the code's authenticity.  
+ No level of trust is associated with a strong name, which makes [SignTool.exe (Sign Tool)](../../../docs/framework/tools/signtool-exe.md) important. The two signing tools require a publisher to prove its identity to a third-party authority and obtain a certificate. This certificate is then embedded in your file and can be used by an administrator to decide whether to trust the code's authenticity.  
   
  You can give both a strong name and a digital signature created using [SignTool.exe (Sign Tool)](../../../docs/framework/tools/signtool-exe.md) to an assembly, or you can use either alone. The two signing tools can sign only one file at a time; for a multifile assembly, you sign the file that contains the assembly manifest. A strong name is stored in the file containing the assembly manifest, but a signature created using [SignTool.exe (Sign Tool)](../../../docs/framework/tools/signtool-exe.md) is stored in a reserved slot in the portable executable (PE) file containing the assembly manifest. Signing of an assembly using [SignTool.exe (Sign Tool)](../../../docs/framework/tools/signtool-exe.md) can be used (with or without a strong name) when you already have a trust hierarchy that relies on[SignTool.exe (Sign Tool)](../../../docs/framework/tools/signtool-exe.md) generated signatures, or when your policy uses only the key portion and does not check a chain of trust.  
   
diff --git a/docs/framework/app-domains/create-and-use-strong-named-assemblies.md b/docs/framework/app-domains/create-and-use-strong-named-assemblies.md
@@ -17,6 +17,9 @@ ms.author: "ronpet"
 ---
 # Creating and Using Strong-Named Assemblies
 <a name="top"></a> A strong name consists of the assembly's identity—its simple text name, version number, and culture information (if provided)—plus a public key and a digital signature. It is generated from an assembly file using the corresponding private key. (The assembly file contains the assembly manifest, which contains the names and hashes of all the files that make up the assembly.)  
+
+> [!WARNING]
+> Do not rely on strong names for security. They provide a unique identity only.
   
  A strong-named assembly can only use types from other strong-named assemblies. Otherwise, the integrity of the strong-named assembly would be compromised.  
   
diff --git a/docs/framework/tools/sn-exe-strong-name-tool.md b/docs/framework/tools/sn-exe-strong-name-tool.md
@@ -16,6 +16,9 @@ ms.author: "ronpet"
 # Sn.exe (Strong Name Tool)
 The Strong Name tool (Sn.exe) helps sign assemblies with [strong names](../../../docs/framework/app-domains/strong-named-assemblies.md). Sn.exe provides options for key management, signature generation, and signature verification.  
   
+> [!WARNING]
+> Do not rely on strong names for security. They provide a unique identity only.
+
  For more information on strong naming and strong-named assemblies, see [Strong-Named Assemblies](../../../docs/framework/app-domains/strong-named-assemblies.md) and [How to: Sign an Assembly with a Strong Name](../../../docs/framework/app-domains/how-to-sign-an-assembly-with-a-strong-name.md).  
   
  The Strong Name tool is automatically installed with Visual Studio. To start the tool, use the Developer Command Prompt (or the Visual Studio Command Prompt in Windows 7). For more information, see [Command Prompts](../../../docs/framework/tools/developer-command-prompt-for-vs.md).  
