Mercurial Mercurial > oss > MCL > sftools > depl > docscontent / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Symbian3/SDK/Source/GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7.dita
author Dominic Pinkman <dominic.pinkman@nokia.com>
Fri, 11 Jun 2010 12:39:03 +0100
changeset 8 ae94777fff8f
parent 0 89d6a7a84779
permissions -rw-r--r--
Week 23 contribution of SDK documentation content. See release notes for details. Fixes bugs Bug 2714, Bug 462.

<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
<!-- This component and the accompanying materials are made available under the terms of the License 
"Eclipse Public License v1.0" which accompanies this distribution, 
and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
<!-- Initial Contributors:
    Nokia Corporation - initial contribution.
Contributors: 
-->
<!DOCTYPE concept
  PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept id="GUID-C893C9E6-47B8-5149-9808-0274C61CF3D7" xml:lang="en"><title>OCSP-SWI Integration</title><abstract><p>The Symbian platform provides the ability to validate
and manage <xref href="GUID-C676C4E6-93AF-59E9-886D-74D59F154490.dita">X.509</xref> certificates. This ability is integrated into the software
installation process to provide Secure Software Install (SWI) with
the functionality of performing certificate checking at installation
time. During installation, SWI checks whether the certificates associated
with the application to be installed have been revoked. It performs
this check by using Online Certificate Status Protocol (OCSP). </p><p>You can configure SWI to enable or disable the revocation status
check of certificates. In addition, SWI can also be configured to
supply the OCSP client with a default Uniform Resource Identifier
(URI) for the OCSP server.</p></abstract><prolog><metadata><keywords/></metadata></prolog><conbody>
<p>You can configure SWI to enable or disable the revocation status
check of certificates. In addition, SWI can also be configured to
supply the OCSP client with a default Uniform Resource Identifier
(URI) for the OCSP server. </p>
<section id="GUID-847C8586-8023-4F5F-8A25-028AEE1A8F06"><title>Installing software based on OCSP check</title> <p>SWI validates the certificate in the install file. As part of validation,
it carries out revocation check, depending on the setting of the <codeph>OcspEnabled</codeph> parameter in the <codeph>swipolicy.ini</codeph> file. If the revocation check option is enabled, a
warning is displayed giving options to carry out revocation check,
to continue without revocation check or to cancel the installation.
If the option is enabled, all certificates in the chain except the <xref href="GUID-2800C486-2FB4-5C5C-990F-CC1A290F7E0C.dita">root</xref> are checked. </p> <p> <b>Note:</b> For details on how certificates are validated,
see <xref href="GUID-A3B58436-07E4-565B-800B-86435D205461.dita">Certificate
Validation in PKIX</xref>. </p> <p>The results of revocation check
decide whether the application can be installed. The following are
the scenarios associated with the certificate revocation check: </p> <ul>
<li id="GUID-EE8C335A-B74D-56D3-9DC5-8E7D9D9C8EB8"><p>If the OCSP
client indicates that no certificates are revoked and the operation
completes successfully with no errors or warnings, the software can
be installed. </p> </li>
<li id="GUID-0F861436-15DE-56C7-A06D-C93C30829313"><p>If OCSP indicates
that any of the certificates is revoked or if the signature on the
OCSP response is invalid, a security error is issued and the software
cannot be installed. </p> </li>
<li id="GUID-F8A8F1FB-DC90-58B0-98B7-8EFE4255A2D6"><p>If the revocation
status of a certificate cannot be determined (because of reasons like
lack of network access or OCSP responder error), SWI behaves as if
the software were unsigned. The setting of the <codeph>AllowUnsigned</codeph> parameter in the <codeph>swipolicy.ini</codeph> file determines
whether the unsigned software can be installed or not. If the parameter
value is true, SWI issues a warning before installing but allows installation
of the software. Otherwise it issues an error and does not allow installation. </p> </li>
</ul> <p> <b>Note:</b> For details of the various parameters in <codeph>swipolicy.ini</codeph>, see <xref href="GUID-F8C2E97C-35EC-5437-BC6B-E2A622D2DC4D.dita">Secure Software Install
Reference</xref>. </p> </section>
</conbody><related-links>
<link href="GUID-90DF40EF-7D3F-551D-9957-A3756317A254.dita"><linktext>Online
Certificate Status Protocol</linktext></link>
</related-links></concept>
MCL/sftools/depl/docscontent