<?xml version="1.0" encoding="utf-8"?>

<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->

<!-- This component and the accompanying materials are made available under the terms of the License 

"Eclipse Public License v1.0" which accompanies this distribution, 

and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->

<!-- Initial Contributors:

    Nokia Corporation - initial contribution.

Contributors: 

-->

<!DOCTYPE concept

  PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">

<concept id="GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7" xml:lang="en"><title>OCSP-SWI Integration</title><abstract><p>The Symbian platform provides the ability to validate

and manage <xref href="GUID-C676C4E6-93AF-59E9-886D-74D59F154490.dita">X.509</xref> certificates. This ability is integrated into the software

installation process to provide Secure Software Install (SWI) with

the functionality of performing certificate checking at installation

time. During installation, SWI checks whether the certificates associated

with the application to be installed have been revoked. It performs

this check by using Online Certificate Status Protocol (OCSP). </p><p>You can configure SWI to enable or disable the revocation status

check of certificates. In addition, SWI can also be configured to

supply the OCSP client with a default Uniform Resource Identifier

(URI) for the OCSP server.</p></abstract><prolog><metadata><keywords/></metadata></prolog><conbody>

<p>You can configure SWI to enable or disable the revocation status

check of certificates. In addition, SWI can also be configured to

supply the OCSP client with a default Uniform Resource Identifier

(URI) for the OCSP server. </p>

<section id="GUID-847C8586-8023-4F5F-8A25-028AEE1A8F06"><title>Installing software based on OCSP check</title> <p>SWI validates the certificate in the install file. As part of validation,

it carries out revocation check, depending on the setting of the <codeph>OcspEnabled</codeph> parameter in the <codeph>swipolicy.ini</codeph> file. If the revocation check option is enabled, a

warning is displayed giving options to carry out revocation check,

to continue without revocation check or to cancel the installation.

If the option is enabled, all certificates in the chain except the <xref href="GUID-2800C486-2FB4-5C5C-990F-CC1A290F7E0C.dita">root</xref> are checked. </p> <p> <b>Note:</b> For details on how certificates are validated,

see <xref href="GUID-A3B58436-07E4-565B-800B-86435D205461.dita">Certificate

Validation in PKIX</xref>. </p> <p>The results of revocation check

decide whether the application can be installed. The following are

the scenarios associated with the certificate revocation check: </p> <ul>

<li id="GUID-EE8C335A-B74D-56D3-9DC5-8E7D9D9C8EB8"><p>If the OCSP

client indicates that no certificates are revoked and the operation

completes successfully with no errors or warnings, the software can

be installed. </p> </li>

<li id="GUID-0F861436-15DE-56C7-A06D-C93C30829313"><p>If OCSP indicates

that any of the certificates is revoked or if the signature on the

OCSP response is invalid, a security error is issued and the software

cannot be installed. </p> </li>

<li id="GUID-F8A8F1FB-DC90-58B0-98B7-8EFE4255A2D6"><p>If the revocation

status of a certificate cannot be determined (because of reasons like

lack of network access or OCSP responder error), SWI behaves as if

the software were unsigned. The setting of the <codeph>AllowUnsigned</codeph> parameter in the <codeph>swipolicy.ini</codeph> file determines

whether the unsigned software can be installed or not. If the parameter

value is true, SWI issues a warning before installing but allows installation

of the software. Otherwise it issues an error and does not allow installation. </p> </li>

</ul> <p> <b>Note:</b> For details of the various parameters in <codeph>swipolicy.ini</codeph>, see <xref href="GUID-F8C2E97C-35EC-5437-BC6B-E2A622D2DC4D.dita">Secure Software Install

Reference</xref>. </p> </section>

</conbody><related-links>

<link href="GUID-90DF40EF-7D3F-551D-9957-A3756317A254.dita"><linktext>Online

Certificate Status Protocol</linktext></link>