Mercurial Mercurial > oss > MCL > sftools > depl > docscontent / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Symbian3/SDK/Source/GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7.dita
changeset 0 89d6a7a84779
child 8 ae94777fff8f
equal deleted inserted replaced
-1:000000000000 0:89d6a7a84779 
       
     1 <?xml version="1.0" encoding="utf-8"?>
 
       
     2 <!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
 
       
     3 <!-- This component and the accompanying materials are made available under the terms of the License 
       
     4 "Eclipse Public License v1.0" which accompanies this distribution, 
       
     5 and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
 
       
     6 <!-- Initial Contributors:
 
       
     7     Nokia Corporation - initial contribution.
 
       
     8 Contributors: 
       
     9 -->
 
       
    10 <!DOCTYPE concept
 
       
    11   PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
 
       
    12 <concept id="GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7" xml:lang="en"><title>OCSP-SWI
 
       
    13 Integration</title><abstract><p>The Symbian platform provides the ability to validate and manage <xref href="GUID-C676C4E6-93AF-59E9-886D-74D59F154490.dita">X.509</xref> certificates.
 
       
    14 This ability is integrated into the software installation process to provide
 
       
    15 Secure Software Install (SWI) with the functionality of performing certificate
 
       
    16 checking at installation time. During installation, SWI checks whether the
 
       
    17 certificates associated with the application to be installed have been revoked.
 
       
    18 It performs this check by using Online Certificate Status Protocol (OCSP). </p><p>You
 
       
    19 can configure SWI to enable or disable the revocation status check of certificates.
 
       
    20 In addition, SWI can also be configured to supply the OCSP client with a default
 
       
    21 Uniform Resource Identifier (URI) for the OCSP server.</p></abstract><prolog><metadata><keywords/></metadata></prolog><conbody>
 
       
    22 <p>You can configure SWI to enable or disable the revocation status check
 
       
    23 of certificates. In addition, SWI can also be configured to supply the OCSP
 
       
    24 client with a default Uniform Resource Identifier (URI) for the OCSP server. </p>
 
       
    25 <section><title>Installing software based on OCSP check</title> <p>SWI validates
 
       
    26 the certificate in the install file. As part of validation, it carries out
 
       
    27 revocation check, depending on the setting of the <codeph>OcspEnabled</codeph> parameter
 
       
    28 in the <codeph>swipolicy.ini</codeph> file. If the revocation check option
 
       
    29 is not enabled, a warning is displayed giving options to carry out revocation
 
       
    30 check, to continue without revocation check or to cancel the installation.
 
       
    31 If the option is enabled, all certificates in the chain except the <xref href="GUID-2800C486-2FB4-5C5C-990F-CC1A290F7E0C.dita">root</xref> are
 
       
    32 checked. </p> <p> <b>Note:</b> For details on how certificates are validated,
 
       
    33 see <xref href="GUID-A3B58436-07E4-565B-800B-86435D205461.dita">Certificate Validation
 
       
    34 in PKIX</xref>. </p> <p>The results of revocation check decide whether the
 
       
    35 application can be installed. The following are the scenarios associated with
 
       
    36 the certificate revocation check: </p> <ul>
 
       
    37 <li id="GUID-EE8C335A-B74D-56D3-9DC5-8E7D9D9C8EB8"><p>If the OCSP client indicates
 
       
    38 that no certificates are revoked and the operation completes successfully
 
       
    39 with no errors or warnings, the software can be installed. </p> </li>
 
       
    40 <li id="GUID-0F861436-15DE-56C7-A06D-C93C30829313"><p>If OCSP indicates that
 
       
    41 any of the certificates is revoked or if the signature on the OCSP response
 
       
    42 is invalid, a security error is issued and the software cannot be installed. </p> </li>
 
       
    43 <li id="GUID-F8A8F1FB-DC90-58B0-98B7-8EFE4255A2D6"><p>If the revocation status
 
       
    44 of a certificate cannot be determined (because of reasons like lack of network
 
       
    45 access or OCSP responder error), SWI behaves as if the software were unsigned.
 
       
    46 The setting of the <codeph>AllowUnsigned</codeph> parameter in the <codeph>swipolicy.ini</codeph> file
 
       
    47 determines whether the unsigned software can be installed or not. If the parameter
 
       
    48 value is true, SWI issues a warning before installing but allows installation
 
       
    49 of the software. Otherwise it issues an error and does not allow installation. </p> </li>
 
       
    50 </ul> <p> <b>Note:</b> For details of the various parameters in <codeph>swipolicy.ini</codeph>,
 
       
    51 see <xref href="GUID-F8C2E97C-35EC-5437-BC6B-E2A622D2DC4D.dita">Secure Software
 
       
    52 Install Reference</xref>. </p> </section>
 
       
    53 </conbody><related-links>
 
       
    54 <link href="GUID-90DF40EF-7D3F-551D-9957-A3756317A254.dita"><linktext>Online Certificate
 
       
    55 Status Protocol</linktext></link>
 
       
    56 </related-links></concept>
MCL/sftools/depl/docscontent