7 Nokia Corporation - initial contribution. |
7 Nokia Corporation - initial contribution. |
8 Contributors: |
8 Contributors: |
9 --> |
9 --> |
10 <!DOCTYPE concept |
10 <!DOCTYPE concept |
11 PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd"> |
11 PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd"> |
12 <concept id="GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7" xml:lang="en"><title>OCSP-SWI |
12 <concept id="GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7" xml:lang="en"><title>OCSP-SWI Integration</title><abstract><p>The Symbian platform provides the ability to validate |
13 Integration</title><abstract><p>The Symbian platform provides the ability to validate and manage <xref href="GUID-C676C4E6-93AF-59E9-886D-74D59F154490.dita">X.509</xref> certificates. |
13 and manage <xref href="GUID-C676C4E6-93AF-59E9-886D-74D59F154490.dita">X.509</xref> certificates. This ability is integrated into the software |
14 This ability is integrated into the software installation process to provide |
14 installation process to provide Secure Software Install (SWI) with |
15 Secure Software Install (SWI) with the functionality of performing certificate |
15 the functionality of performing certificate checking at installation |
16 checking at installation time. During installation, SWI checks whether the |
16 time. During installation, SWI checks whether the certificates associated |
17 certificates associated with the application to be installed have been revoked. |
17 with the application to be installed have been revoked. It performs |
18 It performs this check by using Online Certificate Status Protocol (OCSP). </p><p>You |
18 this check by using Online Certificate Status Protocol (OCSP). </p><p>You can configure SWI to enable or disable the revocation status |
19 can configure SWI to enable or disable the revocation status check of certificates. |
19 check of certificates. In addition, SWI can also be configured to |
20 In addition, SWI can also be configured to supply the OCSP client with a default |
20 supply the OCSP client with a default Uniform Resource Identifier |
21 Uniform Resource Identifier (URI) for the OCSP server.</p></abstract><prolog><metadata><keywords/></metadata></prolog><conbody> |
21 (URI) for the OCSP server.</p></abstract><prolog><metadata><keywords/></metadata></prolog><conbody> |
22 <p>You can configure SWI to enable or disable the revocation status check |
22 <p>You can configure SWI to enable or disable the revocation status |
23 of certificates. In addition, SWI can also be configured to supply the OCSP |
23 check of certificates. In addition, SWI can also be configured to |
24 client with a default Uniform Resource Identifier (URI) for the OCSP server. </p> |
24 supply the OCSP client with a default Uniform Resource Identifier |
25 <section><title>Installing software based on OCSP check</title> <p>SWI validates |
25 (URI) for the OCSP server. </p> |
26 the certificate in the install file. As part of validation, it carries out |
26 <section id="GUID-847C8586-8023-4F5F-8A25-028AEE1A8F06"><title>Installing software based on OCSP check</title> <p>SWI validates the certificate in the install file. As part of validation, |
27 revocation check, depending on the setting of the <codeph>OcspEnabled</codeph> parameter |
27 it carries out revocation check, depending on the setting of the <codeph>OcspEnabled</codeph> parameter in the <codeph>swipolicy.ini</codeph> file. If the revocation check option is enabled, a |
28 in the <codeph>swipolicy.ini</codeph> file. If the revocation check option |
28 warning is displayed giving options to carry out revocation check, |
29 is not enabled, a warning is displayed giving options to carry out revocation |
29 to continue without revocation check or to cancel the installation. |
30 check, to continue without revocation check or to cancel the installation. |
30 If the option is enabled, all certificates in the chain except the <xref href="GUID-2800C486-2FB4-5C5C-990F-CC1A290F7E0C.dita">root</xref> are checked. </p> <p> <b>Note:</b> For details on how certificates are validated, |
31 If the option is enabled, all certificates in the chain except the <xref href="GUID-2800C486-2FB4-5C5C-990F-CC1A290F7E0C.dita">root</xref> are |
31 see <xref href="GUID-A3B58436-07E4-565B-800B-86435D205461.dita">Certificate |
32 checked. </p> <p> <b>Note:</b> For details on how certificates are validated, |
32 Validation in PKIX</xref>. </p> <p>The results of revocation check |
33 see <xref href="GUID-A3B58436-07E4-565B-800B-86435D205461.dita">Certificate Validation |
33 decide whether the application can be installed. The following are |
34 in PKIX</xref>. </p> <p>The results of revocation check decide whether the |
34 the scenarios associated with the certificate revocation check: </p> <ul> |
35 application can be installed. The following are the scenarios associated with |
35 <li id="GUID-EE8C335A-B74D-56D3-9DC5-8E7D9D9C8EB8"><p>If the OCSP |
36 the certificate revocation check: </p> <ul> |
36 client indicates that no certificates are revoked and the operation |
37 <li id="GUID-EE8C335A-B74D-56D3-9DC5-8E7D9D9C8EB8"><p>If the OCSP client indicates |
37 completes successfully with no errors or warnings, the software can |
38 that no certificates are revoked and the operation completes successfully |
38 be installed. </p> </li> |
39 with no errors or warnings, the software can be installed. </p> </li> |
39 <li id="GUID-0F861436-15DE-56C7-A06D-C93C30829313"><p>If OCSP indicates |
40 <li id="GUID-0F861436-15DE-56C7-A06D-C93C30829313"><p>If OCSP indicates that |
40 that any of the certificates is revoked or if the signature on the |
41 any of the certificates is revoked or if the signature on the OCSP response |
41 OCSP response is invalid, a security error is issued and the software |
42 is invalid, a security error is issued and the software cannot be installed. </p> </li> |
42 cannot be installed. </p> </li> |
43 <li id="GUID-F8A8F1FB-DC90-58B0-98B7-8EFE4255A2D6"><p>If the revocation status |
43 <li id="GUID-F8A8F1FB-DC90-58B0-98B7-8EFE4255A2D6"><p>If the revocation |
44 of a certificate cannot be determined (because of reasons like lack of network |
44 status of a certificate cannot be determined (because of reasons like |
45 access or OCSP responder error), SWI behaves as if the software were unsigned. |
45 lack of network access or OCSP responder error), SWI behaves as if |
46 The setting of the <codeph>AllowUnsigned</codeph> parameter in the <codeph>swipolicy.ini</codeph> file |
46 the software were unsigned. The setting of the <codeph>AllowUnsigned</codeph> parameter in the <codeph>swipolicy.ini</codeph> file determines |
47 determines whether the unsigned software can be installed or not. If the parameter |
47 whether the unsigned software can be installed or not. If the parameter |
48 value is true, SWI issues a warning before installing but allows installation |
48 value is true, SWI issues a warning before installing but allows installation |
49 of the software. Otherwise it issues an error and does not allow installation. </p> </li> |
49 of the software. Otherwise it issues an error and does not allow installation. </p> </li> |
50 </ul> <p> <b>Note:</b> For details of the various parameters in <codeph>swipolicy.ini</codeph>, |
50 </ul> <p> <b>Note:</b> For details of the various parameters in <codeph>swipolicy.ini</codeph>, see <xref href="GUID-F8C2E97C-35EC-5437-BC6B-E2A622D2DC4D.dita">Secure Software Install |
51 see <xref href="GUID-F8C2E97C-35EC-5437-BC6B-E2A622D2DC4D.dita">Secure Software |
51 Reference</xref>. </p> </section> |
52 Install Reference</xref>. </p> </section> |
|
53 </conbody><related-links> |
52 </conbody><related-links> |
54 <link href="GUID-90DF40EF-7D3F-551D-9957-A3756317A254.dita"><linktext>Online Certificate |
53 <link href="GUID-90DF40EF-7D3F-551D-9957-A3756317A254.dita"><linktext>Online |
55 Status Protocol</linktext></link> |
54 Certificate Status Protocol</linktext></link> |
56 </related-links></concept> |
55 </related-links></concept> |