Symbian3/PDK/Source/GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7.dita
changeset 1 25a17d01db0c
child 3 46218c8b8afa
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/Symbian3/PDK/Source/GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7.dita	Fri Jan 22 18:26:19 2010 +0000
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
+<!-- This component and the accompanying materials are made available under the terms of the License 
+"Eclipse Public License v1.0" which accompanies this distribution, 
+and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
+<!-- Initial Contributors:
+    Nokia Corporation - initial contribution.
+Contributors: 
+-->
+<!DOCTYPE concept
+  PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
+<concept id="GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7" xml:lang="en"><title>OCSP-SWI
+Integration</title><abstract><p>The Symbian platform provides the ability to validate and manage <xref href="GUID-C676C4E6-93AF-59E9-886D-74D59F154490.dita">X.509</xref> certificates.
+This ability is integrated into the software installation process to provide
+Secure Software Install (SWI) with the functionality of performing certificate
+checking at installation time. During installation, SWI checks whether the
+certificates associated with the application to be installed have been revoked.
+It performs this check by using Online Certificate Status Protocol (OCSP). </p><p>You
+can configure SWI to enable or disable the revocation status check of certificates.
+In addition, SWI can also be configured to supply the OCSP client with a default
+Uniform Resource Identifier (URI) for the OCSP server.</p></abstract><prolog><metadata><keywords/></metadata></prolog><conbody>
+<p>You can configure SWI to enable or disable the revocation status check
+of certificates. In addition, SWI can also be configured to supply the OCSP
+client with a default Uniform Resource Identifier (URI) for the OCSP server. </p>
+<section><title>Installing software based on OCSP check</title> <p>SWI validates
+the certificate in the install file. As part of validation, it carries out
+revocation check, depending on the setting of the <codeph>OcspEnabled</codeph> parameter
+in the <codeph>swipolicy.ini</codeph> file. If the revocation check option
+is not enabled, a warning is displayed giving options to carry out revocation
+check, to continue without revocation check or to cancel the installation.
+If the option is enabled, all certificates in the chain except the <xref href="GUID-2800C486-2FB4-5C5C-990F-CC1A290F7E0C.dita">root</xref> are
+checked. </p> <p> <b>Note:</b> For details on how certificates are validated,
+see <xref href="GUID-A3B58436-07E4-565B-800B-86435D205461.dita">Certificate Validation
+in PKIX</xref>. </p> <p>The results of revocation check decide whether the
+application can be installed. The following are the scenarios associated with
+the certificate revocation check: </p> <ul>
+<li id="GUID-EE8C335A-B74D-56D3-9DC5-8E7D9D9C8EB8"><p>If the OCSP client indicates
+that no certificates are revoked and the operation completes successfully
+with no errors or warnings, the software can be installed. </p> </li>
+<li id="GUID-0F861436-15DE-56C7-A06D-C93C30829313"><p>If OCSP indicates that
+any of the certificates is revoked or if the signature on the OCSP response
+is invalid, a security error is issued and the software cannot be installed. </p> </li>
+<li id="GUID-F8A8F1FB-DC90-58B0-98B7-8EFE4255A2D6"><p>If the revocation status
+of a certificate cannot be determined (because of reasons like lack of network
+access or OCSP responder error), SWI behaves as if the software were unsigned.
+The setting of the <codeph>AllowUnsigned</codeph> parameter in the <codeph>swipolicy.ini</codeph> file
+determines whether the unsigned software can be installed or not. If the parameter
+value is true, SWI issues a warning before installing but allows installation
+of the software. Otherwise it issues an error and does not allow installation. </p> </li>
+</ul> <p> <b>Note:</b> For details of the various parameters in <codeph>swipolicy.ini</codeph>,
+see <xref href="GUID-F8C2E97C-35EC-5437-BC6B-E2A622D2DC4D.dita">Secure Software
+Install Reference</xref>. </p> </section>
+</conbody><related-links>
+<link href="GUID-90DF40EF-7D3F-551D-9957-A3756317A254.dita"><linktext>Online Certificate
+Status Protocol</linktext></link>
+</related-links></concept>
\ No newline at end of file