×

Discussion Board

Results 1 to 14 of 14
  1. #1
    Registered User
    Join Date
    Jun 2006
    Posts
    5

    Manufacturer/Operator Domain

    I am finding a way to suppress the prompt that asks user to send an SMS for my application. I followed this thread and realize that Trusted Third-Party Certificate does not provide the "Always Allowed" setting.
    http://discussion.forum.nokia.com/fo...ad.php?t=43911

    I read in the "Getting Started With Security" document that security certificate under Manufacturer/Operator Domain will grant this option
    (http://www.forum.nokia.com/info/sw.n..._0_en.pdf.html)

    Where can I obtain a certificate that is in the Manufacturer/Operator Domain?

    I was also looking into Javaverified.com. At the end of the testing, if the application is passed, the application is signed with GeoTrust certificate. Does anyone know which domain it falls under (Trusted Third-Party, Operator or Manufacturer)?

    Thank you very much.
    Shufei

  2. #2
    Super Contributor
    Join Date
    Dec 2005
    Location
    Europe/Poland/Warsaw
    Posts
    1,697

    Re: Manufacturer/Operator Domain

    hi,

    that's correct:
    SMS (mmapi send message in general) is an exception from general MIDP policy and it always be prompting asking form confirmation even if signed with 3rd party trusted certificate,
    JavaVerified is 3rd party certificate,

    don't know how to get Manufacturer cert, probably via Nokia Pro membership,

    @Hartti
    could be noted somewhere in FAQ about Manufacturer/Operator - I've been answering similiar questions myself when reading docs

    regards,
    peter
    Last edited by peterblazejewicz; 2006-08-21 at 23:54.

  3. #3
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Manufacturer/Operator Domain

    In general, signed midlets should have by default "Always ask" but the user should be able to change the setting to "Ask once per session" or "Always allowed". This is how the recommended security policy (part of MIDP spec) describes the situation.
    However some carriers have more restrictive policies, and in this case the "Always allowed" option might not be available. One such example is Cingular in U.S.

    Java Verified signing places the midlet to trusted 3rd party domain. Same applies to GeoTrust.

    Getting your midlet signed by carrier / operator requires you to work closely with the carrier and most likely some partnering agreements. The process varies from carrier to carrier and it is usually very strict (the midlet has to also additionally follow some guidelines set by the carrier).

    Same goes to manufacturer domain. In Nokia's case, Nokia branded midlets are signed to manufacturer domain. There are very few (if any) exceptions to this rule.

    Hartti

  4. #4
    Super Contributor
    Join Date
    Dec 2005
    Location
    Europe/Poland/Warsaw
    Posts
    1,697

    Cool Re: Manufacturer/Operator Domain

    Hartti,
    thank you
    regards,
    Peter

  5. #5
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Manufacturer/Operator Domain

    Uups, reading the spec and seeing a device in action is different thing. Apparently the SMS sending is really more restricted in general, than other categoris, although the recommendation does not state so. I tested with generic E61 and it had only ask always for messaging for signed midlets.

    Hartti

  6. #6
    Registered User
    Join Date
    Jun 2006
    Posts
    5

    Re: Manufacturer/Operator Domain

    Thanks for your responses. They give me clarity on this issue.

    I understand that we should secure network channel (SMS, HTTP, etc.) on the phone, but I wonder if Nokia's security rule on messaging is a bit too strict. It limits us from taking advantage of the SMS channel.

  7. #7
    Super Contributor
    Join Date
    Dec 2005
    Location
    Europe/Poland/Warsaw
    Posts
    1,697

    Re: Manufacturer/Operator Domain

    hi shufeilei,
    for me its quite obvious, there are two main players group on market which made "sms" buzz possible: device manufacturers and network operators (mobile carriers), especially mobile carriers are not interested in handling thousands of claims of unwanted sms/mms sends via their network from a device (if I'm correct number of sms sends each day is far greater then number of mails, especialy in some countires in Europe and in Asia),

    within a group i'm working and learning we are sketching application for public service (municipal service) which will be using sms without "user consent" for example in emergency situation - if implemented as "proof of concept" application in some point of future we will try to co-operate with one of our mobile carriers for signing it (we think that carrier will be interested in that),

    so:
    if you don't want to bother with sms issue and you have only 3rd party cert:
    - implement 3rd tier web server
    - use standard http based request to send sms data to web server
    - let the web server to send sms messages to connected clients,
    that will allow you to use "blanket" settings for that application,

    regards,
    Peter

  8. #8
    Registered User
    Join Date
    Mar 2003
    Posts
    9

    Re: Manufacturer/Operator Domain

    Hartii:

    I'm sorry that I don't fully understand your last post - when you say that
    "I tested with generic E61 and it had only ask always for messaging for signed midlets." - what level of signing are you talking about - trusted 3rd party, operator, or manufacturer? Is there *any* way around this? Will carrier or manufacturer level signing make this available? Is it ever possible for "Always Allowed" to be the default setting?

    Thanks,

    Andy
    Last edited by andywein; 2006-12-28 at 20:12.

  9. #9
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Manufacturer/Operator Domain

    Andy,

    I was talking an unsigned application (untrusted 3rd patry domain). That domain has only "ask always" available for messaging according to the recommendation and on E61

    "Is there *any* way around this?"

    Signing, and even then trusted 3rd paty midlets do not have "always allowed" as default (it is available as an option). Of course some operators have more restrictive policies...

    "Will carrier or manufacturer level signing make this available? Is it ever possible for "Always Allowed" to be the default setting?"

    Manufacturer and Operator domains have by default all settings as always allowed. Having your midlet signed with manufacturer certificate or operator certificate is another story altogether. In Nokia's case it will require that the midlet is Nokia branded, etc...

    Hartti

  10. #10
    Registered User
    Join Date
    Mar 2003
    Posts
    9

    Re: Manufacturer/Operator Domain

    Hartii, thanks so much. This is very helpful.

    I should note that I tried out our app as signed by one of the local operators here, and it does *not* have "Always Allowed" as an optional choice, never mind it being the default! Perhaps this is an example of what you said about some operators choosing to be stricter. But notice this is even for an Operator level signing. I'm going to check with them to make sure they actually do have an Operator certificate, and not just a third-party one.

    Would I be right in understanding that the way an Operator can be stricter is only via the firmware on the phone - they specify this behavior to Nokia as part of their operator-customized firmware - is that correct? It doesn't have anything to do with the details of signing, right?

  11. #11
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Manufacturer/Operator Domain

    After installation you should be able to check which certificate was used for signing. on S60 phones you need to go to the Application Manager to see this (also it is shown during the installation process)
    I am guessing it is not a certificate tied to the operator domain.

    What is the operator in question?

    "Would I be right in understanding that the way an Operator can be stricter is only via the firmware on the phone - they specify this behavior to Nokia as part of their operator-customized firmware - is that correct? "

    Correct.

    Hartti

  12. #12
    Registered User
    Join Date
    Apr 2003
    Location
    Singapore
    Posts
    16

    Re: Manufacturer/Operator Domain

    @Hartti - We're another one of those unfortunate companies which have a java application which requires lot of permissions on the phone.
    We've a file-sharing application - and to scan say 50 pictures on the phone - the application prompts 100 times (50 for write/edit data and 50 for read data)

    The good news is that we work closely with operators - and the operator is ok with
    having an operator domain certificate.

    Now I've 2 questions for you:

    1) How does an Operator get an Operator Domain certificate.
    2) How can the operator PUSH the certificate to its current subscriber base.

    Thanks,
    Sourabh.

  13. #13
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Manufacturer/Operator Domain

    1) Unfortunately I do not know all the details of this process
    2) As the certificate has to be either on the phone or on the SIM card, the only option I see here is that the operator upgrades the SIM cards. I am not sure, but I suppose that this cannot be done over-the-air, so the SIM cards might need to be replaced physically

    Hartti

  14. #14
    Regular Contributor
    Join Date
    Mar 2008
    Posts
    198

    Re: Manufacturer/Operator Domain

    Quote Originally Posted by sourabhs View Post
    1) How does an Operator get an Operator Domain certificate.
    2) How can the operator PUSH the certificate to its current subscriber base.
    I think you have a basic misunderstanding... the "operator" is the mobile network operator, e.g. Sprint, O2, Telefonica, etc. They will install their certificate on every SIM card that they issue. They are already doing this and have been doing it for years. There is no need to "push" a certificate.

    All operators (well 99%) already have a certificate. There is no need to ask "how" they get one. An operator will obtain one when they start up in business by proving to someone like Verisign that they are indeed an operator. However, they will only use it on your application if you have a specific business arrangement with them.

    If you really come across an operator that doesn't already have a certificate then things are going to be very difficult.

    BTW... You don't need an operator certificate to remove read and write requests... a normal code signing certificate will do that.

    - Mike
    NAVTEQ Network for Developers
    The community for developing innovative location-based applications
    http://NN4D.com
    Last edited by mikemoore; 2009-03-23 at 18:36.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×