<?xml version="1.0" encoding="utf-8"?>

<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->

<!-- This component and the accompanying materials are made available under the terms of the License 

"Eclipse Public License v1.0" which accompanies this distribution, 

and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->

<!-- Initial Contributors:

    Nokia Corporation - initial contribution.

Contributors: 

-->

<!DOCTYPE concept

  PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">

<concept xml:lang="en" id="GUID-6FCAB5DC-D3E9-5406-8B9E-E1B1CF18C73F"><title> OCSP Configuration</title><prolog><metadata><keywords/></metadata></prolog><conbody><p>Online Certificate Status Protocol (OCSP) is an Internet protocol used by applications to obtain the revocation status of an X.509 digital certificate. </p> <p>The OCSP policy configuration file is stored as <filepath>z:\system\data\ocsppolicy.ini</filepath>. The default implementation looks like this: </p> <codeblock id="GUID-83431852-4A24-5C6A-B040-6E60877C7A82" xml:space="preserve">GenerateResponseForMissingUri = true

EnableHttpGETMethod = false</codeblock> <p>Device creators must modify the configuration file and rebuild the <xref href="GUID-2BB17FB4-07A9-52E3-A650-570A16FA771D.dita">securityconfig</xref> component, to customise the behavior of the OCSP component. </p> <section><title> Description</title> <table id="GUID-7402F366-E306-56EE-81E2-ABE4F98C30BA"><tgroup cols="3"><colspec colname="col0"/><colspec colname="col1"/><colspec colname="col2"/><tbody><row><entry><p> <b>Flag Name</b>  </p> </entry> <entry><p> <b>Default Value</b>  </p> </entry> <entry><p> <b>Description</b>  </p> </entry> </row> <row><entry><p> <codeph> GenerateResponseForMissingUri </codeph>  </p> </entry> <entry><p> <codeph>true</codeph>  </p> </entry> <entry><p>Decides whether an OCSP client should send a request and expect a response even if both Authority Information Access (AIA) in the certificate and the global OCSP URL are not present. </p> <p> <xref scope="external" href="http://www.openssl.org/docs/apps/x509v3_config.html#Authority_Info_Access_">AIA extension</xref> and the <xref scope="external" href="http://openssl.org/docs/apps/ocsp.html">global OCSP URI</xref> are the two sources to get the trust status of the certificate, and it is required that one of these two sources must be present to get correct trust status of the certificate. </p> <p>The <codeph>GenerateResponseForMissingUri</codeph> flag allows to override the default settings in the following ways: </p> <ul><li id="GUID-30EF1EAA-8ED2-5E49-B49C-766A3C691937"><p>If <codeph>GenerateResponseForMissingUri</codeph> flag is set to <codeph>true</codeph>, the OCSP client is allowed to send an OCSP request and expect a response, even if both AIA and global OCSP URI sources are not present. </p> </li> <li id="GUID-6F054D62-1F43-58F9-859B-7276D8A2C823"><p>If the flag is set to <codeph>false</codeph>, the OCSP client is not allowed to send an OCSP request and expect an response thereby. </p> </li> </ul> </entry> </row> <row><entry><p> <codeph>EnableHttpGETMethod </codeph>  </p> </entry> <entry><p> <codeph>false</codeph>  </p> </entry> <entry><p>Decides how the OCSP request should be sent when a request size is small. </p> <p>HTTP based OCSP requests can use GET or the POST method to submit their requests. </p> <ul><li id="GUID-3C993B14-CDF7-587A-BA18-6B2B57384F3E"><p>Use GET method for enabling HTTP caching, if a request size (even after encoding) is lesser than 255 bytes. </p> </li> <li id="GUID-5E49E5D5-D044-5B42-927D-1167FED1EBEE"><p>Use POST method, if HTTP caching is not important, or the request is greater than 255 bytes. </p> </li> </ul> <p>You need to set <codeph>EnableHttpGETMethod</codeph> flag as <codeph>false</codeph>, to forcibly submit using POST method, even if the request is less than 255 bytes. </p> </entry> </row> </tbody> </tgroup> </table> <p>For more details about these two flags, see <xref scope="external" href="http://www.faqs.org/rfcs/rfc2560.html">RFC2560 - X.509 PKI OCSP standard</xref>. </p> </section> <section><title>See also</title> <p><xref href="GUID-2BB17FB4-07A9-52E3-A650-570A16FA771D.dita">SecurityConfig Overview</xref>  </p> </section> </conbody></concept>