Apps/WebApplicationReceipt/GenerationService: Difference between revisions

Apps/WebApplicationReceipt/GenerationService (view source)

171 bytes added , 28 March 2012

m

→‎System Overview: added revocation check note

348

edits

@@ Line 18: / Line 18: @@
 The user agent makes requests for receipts when Marketplace content uses the Application DOM API to request an install.  The receipts are stored, along with application metadata, in the user agent, where they are made available to the developer's domain through the Application DOM API.  The developer is then expected to upload the receipt to their own server, where they can perform validation.
-Validation of the receipt can be done by the developer's server, by verifying the signature, and then verifying the chain of certificates.  The root of trust of the chain will be one of the public certificates previously advertised by the Marketplace in ##.
+Validation of the receipt can be done by the developer's server, by verifying the signature, and then verifying the chain of certificates.  The root of trust of the chain will be one of the public certificates previously advertised by the Marketplace.  Validation also requires that each certificate in the chain be checked for membership in the list of revoked certificates, also advertised by the Marketplace. (See Appendix B)
 Alternatively, the developer can POST the receipt to a URL specified in the receipt (the verify_url).  This is a service, hosted by Marketplace, which will: