|
1 <?xml version="1.0" encoding="utf-8"?> |
|
2 <!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. --> |
|
3 <!-- This component and the accompanying materials are made available under the terms of the License |
|
4 "Eclipse Public License v1.0" which accompanies this distribution, |
|
5 and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". --> |
|
6 <!-- Initial Contributors: |
|
7 Nokia Corporation - initial contribution. |
|
8 Contributors: |
|
9 --> |
|
10 <!DOCTYPE concept |
|
11 PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd"> |
|
12 <concept id="GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7" xml:lang="en"><title>OCSP-SWI |
|
13 Integration</title><abstract><p>The Symbian platform provides the ability to validate and manage <xref href="GUID-C676C4E6-93AF-59E9-886D-74D59F154490.dita">X.509</xref> certificates. |
|
14 This ability is integrated into the software installation process to provide |
|
15 Secure Software Install (SWI) with the functionality of performing certificate |
|
16 checking at installation time. During installation, SWI checks whether the |
|
17 certificates associated with the application to be installed have been revoked. |
|
18 It performs this check by using Online Certificate Status Protocol (OCSP). </p><p>You |
|
19 can configure SWI to enable or disable the revocation status check of certificates. |
|
20 In addition, SWI can also be configured to supply the OCSP client with a default |
|
21 Uniform Resource Identifier (URI) for the OCSP server.</p></abstract><prolog><metadata><keywords/></metadata></prolog><conbody> |
|
22 <p>You can configure SWI to enable or disable the revocation status check |
|
23 of certificates. In addition, SWI can also be configured to supply the OCSP |
|
24 client with a default Uniform Resource Identifier (URI) for the OCSP server. </p> |
|
25 <section><title>Installing software based on OCSP check</title> <p>SWI validates |
|
26 the certificate in the install file. As part of validation, it carries out |
|
27 revocation check, depending on the setting of the <codeph>OcspEnabled</codeph> parameter |
|
28 in the <codeph>swipolicy.ini</codeph> file. If the revocation check option |
|
29 is not enabled, a warning is displayed giving options to carry out revocation |
|
30 check, to continue without revocation check or to cancel the installation. |
|
31 If the option is enabled, all certificates in the chain except the <xref href="GUID-2800C486-2FB4-5C5C-990F-CC1A290F7E0C.dita">root</xref> are |
|
32 checked. </p> <p> <b>Note:</b> For details on how certificates are validated, |
|
33 see <xref href="GUID-A3B58436-07E4-565B-800B-86435D205461.dita">Certificate Validation |
|
34 in PKIX</xref>. </p> <p>The results of revocation check decide whether the |
|
35 application can be installed. The following are the scenarios associated with |
|
36 the certificate revocation check: </p> <ul> |
|
37 <li id="GUID-EE8C335A-B74D-56D3-9DC5-8E7D9D9C8EB8"><p>If the OCSP client indicates |
|
38 that no certificates are revoked and the operation completes successfully |
|
39 with no errors or warnings, the software can be installed. </p> </li> |
|
40 <li id="GUID-0F861436-15DE-56C7-A06D-C93C30829313"><p>If OCSP indicates that |
|
41 any of the certificates is revoked or if the signature on the OCSP response |
|
42 is invalid, a security error is issued and the software cannot be installed. </p> </li> |
|
43 <li id="GUID-F8A8F1FB-DC90-58B0-98B7-8EFE4255A2D6"><p>If the revocation status |
|
44 of a certificate cannot be determined (because of reasons like lack of network |
|
45 access or OCSP responder error), SWI behaves as if the software were unsigned. |
|
46 The setting of the <codeph>AllowUnsigned</codeph> parameter in the <codeph>swipolicy.ini</codeph> file |
|
47 determines whether the unsigned software can be installed or not. If the parameter |
|
48 value is true, SWI issues a warning before installing but allows installation |
|
49 of the software. Otherwise it issues an error and does not allow installation. </p> </li> |
|
50 </ul> <p> <b>Note:</b> For details of the various parameters in <codeph>swipolicy.ini</codeph>, |
|
51 see <xref href="GUID-F8C2E97C-35EC-5437-BC6B-E2A622D2DC4D.dita">Secure Software |
|
52 Install Reference</xref>. </p> </section> |
|
53 </conbody><related-links> |
|
54 <link href="GUID-90DF40EF-7D3F-551D-9957-A3756317A254.dita"><linktext>Online Certificate |
|
55 Status Protocol</linktext></link> |
|
56 </related-links></concept> |