Mercurial Mercurial > oss > MCL > sftools > depl > docscontent / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Symbian3/SDK/Source/GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7.dita
author Dominic Pinkman <Dominic.Pinkman@Nokia.com>
Thu, 21 Jan 2010 18:18:20 +0000
changeset 0 89d6a7a84779
child 8 ae94777fff8f
permissions -rw-r--r--
Initial contribution of Documentation_content according to Feature bug 1266 bug 1268 bug 1269 bug 1270 bug 1372 bug 1374 bug 1375 bug 1379 bug 1380 bug 1381 bug 1382 bug 1383 bug 1385

<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
<!-- This component and the accompanying materials are made available under the terms of the License 
"Eclipse Public License v1.0" which accompanies this distribution, 
and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
<!-- Initial Contributors:
    Nokia Corporation - initial contribution.
Contributors: 
-->
<!DOCTYPE concept
  PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept id="GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7" xml:lang="en"><title>OCSP-SWI
Integration</title><abstract><p>The Symbian platform provides the ability to validate and manage <xref href="GUID-C676C4E6-93AF-59E9-886D-74D59F154490.dita">X.509</xref> certificates.
This ability is integrated into the software installation process to provide
Secure Software Install (SWI) with the functionality of performing certificate
checking at installation time. During installation, SWI checks whether the
certificates associated with the application to be installed have been revoked.
It performs this check by using Online Certificate Status Protocol (OCSP). </p><p>You
can configure SWI to enable or disable the revocation status check of certificates.
In addition, SWI can also be configured to supply the OCSP client with a default
Uniform Resource Identifier (URI) for the OCSP server.</p></abstract><prolog><metadata><keywords/></metadata></prolog><conbody>
<p>You can configure SWI to enable or disable the revocation status check
of certificates. In addition, SWI can also be configured to supply the OCSP
client with a default Uniform Resource Identifier (URI) for the OCSP server. </p>
<section><title>Installing software based on OCSP check</title> <p>SWI validates
the certificate in the install file. As part of validation, it carries out
revocation check, depending on the setting of the <codeph>OcspEnabled</codeph> parameter
in the <codeph>swipolicy.ini</codeph> file. If the revocation check option
is not enabled, a warning is displayed giving options to carry out revocation
check, to continue without revocation check or to cancel the installation.
If the option is enabled, all certificates in the chain except the <xref href="GUID-2800C486-2FB4-5C5C-990F-CC1A290F7E0C.dita">root</xref> are
checked. </p> <p> <b>Note:</b> For details on how certificates are validated,
see <xref href="GUID-A3B58436-07E4-565B-800B-86435D205461.dita">Certificate Validation
in PKIX</xref>. </p> <p>The results of revocation check decide whether the
application can be installed. The following are the scenarios associated with
the certificate revocation check: </p> <ul>
<li id="GUID-EE8C335A-B74D-56D3-9DC5-8E7D9D9C8EB8"><p>If the OCSP client indicates
that no certificates are revoked and the operation completes successfully
with no errors or warnings, the software can be installed. </p> </li>
<li id="GUID-0F861436-15DE-56C7-A06D-C93C30829313"><p>If OCSP indicates that
any of the certificates is revoked or if the signature on the OCSP response
is invalid, a security error is issued and the software cannot be installed. </p> </li>
<li id="GUID-F8A8F1FB-DC90-58B0-98B7-8EFE4255A2D6"><p>If the revocation status
of a certificate cannot be determined (because of reasons like lack of network
access or OCSP responder error), SWI behaves as if the software were unsigned.
The setting of the <codeph>AllowUnsigned</codeph> parameter in the <codeph>swipolicy.ini</codeph> file
determines whether the unsigned software can be installed or not. If the parameter
value is true, SWI issues a warning before installing but allows installation
of the software. Otherwise it issues an error and does not allow installation. </p> </li>
</ul> <p> <b>Note:</b> For details of the various parameters in <codeph>swipolicy.ini</codeph>,
see <xref href="GUID-F8C2E97C-35EC-5437-BC6B-E2A622D2DC4D.dita">Secure Software
Install Reference</xref>. </p> </section>
</conbody><related-links>
<link href="GUID-90DF40EF-7D3F-551D-9957-A3756317A254.dita"><linktext>Online Certificate
Status Protocol</linktext></link>
</related-links></concept>
MCL/sftools/depl/docscontent