WAP issues with XKMS [was RE: Mobile XKMS clients] from Deacon, Alex on 2002-02-26 (www-xkms@w3.org from February 2002)

From: Deacon, Alex <alex@verisign.com>
Date: Mon, 25 Feb 2002 17:51:30 -0800
To: "'Blair Dillaway'" <blaird@microsoft.com>, Yassir Elley <yassir.elley@sun.com>, www-xkms@w3.org
Message-ID: <FBDFBCB7591BD611AB4A00D0B79E60B004A41F@vhqpostal2.verisign.com>
Hi,

My experience on the topic of XKMS from the WAP community has been that at a
conceptual level the idea of XKMS is very appealing.  Device manufacturers
like the idea of "offloading complexity" from the client to the server and
WAP operators like the idea of centralizing and controlling their PKI
policy.  

However, there were two issues that seemed to cause roadblocks when I tried
to introduce XKMS in WAP.  The first is not so big and probably quite easy
to solve, the second could turn out to be a large barrier to adoption in
wireless worlds:

1) Because its not possible (and perhaps impossible) to support a general
purpose XML parser and more importantly a full XML dsig implementation on
constrained devices, it would be necessary to create a dsig profile for XKMS
messaging.  For example, is full XPath support necessary?   

2) The size of a signed XKMS message is to large, leading to bandwidth
issues.  For example, a typical signed XKMS Validate response can run about
2.5K.  On some networks this would cost the user between 7 and 10 cents!
(Data from a major European operator)   This seems to have been the major
issue with the vendors and caused them to stick to their smaller proprietary
structures and to consider ASN.1 based protocols such as OCSP for validation
instead of going with XKMS.  

Ericcson published a technical paper on the concept of certificate
validation in a WAP environment.  They compared CRL's, OCSP and XKMS.  I
didn't agree with most of their assumptions, however it was interesting none
the less.  If people are interested I'll ask the authors if I can post the
paper to this list.

Regards,
Alex 



    
> -----Original Message-----
> From: Blair Dillaway [mailto:blaird@microsoft.com]
> Sent: Monday, February 25, 2002 3:09 PM
> To: Yassir Elley; www-xkms@w3.org
> Subject: RE: Mobile XKMS clients
> 
> 
> Yassir,
> 
> I have always assumed the primary target of the XKMS specification is
> devices that use XML-based protocols and data structures.  
> This implies
> a full-featured parser, though not necessarily a DOM-based parser.  A
> cell phone could meet this criteria, probably not existing 
> smart cards.
> In any event, I believe a minimal XKMS client would only need 
> to be able
> to handle composition and parsing of the XKMS Validate messages.  A
> special built parser for this could be very small, especially if the
> supported KeyInfo structure is constrained.
> 
> So in answer to your question, I believe devices must able to compose
> and parse the XML associated with the XKMS messages required by their
> application(s).  But, it isn't required they support a general purpose
> XML parsing capability.
> 
> Blair
>  
> 
> -----Original Message-----
> From: Yassir Elley [mailto:yassir.elley@sun.com] 
> Sent: Monday, February 25, 2002 1:29 PM
> To: www-xkms@w3.org
> Subject: Mobile XKMS clients
> 
> 
> Although we don't spell it out explicitly in the Requirements 
> document,
> it is obviously implied that XKMS applications MUST have the 
> ability to
> parse XML data. This poses a problem for extremely constrained clients
> (such as cell phones and smart cards) that do not have general-purpose
> XML parsers available to them - or SOAP processors for that matter -
> (because of memory constraints). I have always assumed that one of the
> (most) compelling use cases for XKMS is for mobile devices, 
> such as cell
> phones, which are not capable of building and validating cert chains,
> etc. Although this assumption is not explicitly stated in our 
> documents,
> it shows up on the XML Trust Center site under "Benefits of 
> XKMS" - i.e.
> "Ideal for mobile devices: XKMS allow mobile devices to access
> full-featured PKI through ultra-minimal-footprint client device
> interfaces."
> 
> If one of our goals is to support constrained devices at the scale of
> cell phones and smart cards, then the current spec falls short of that
> goal.
> 
> My questions to the group:
> When we talk about supporting mobile devices, are we including cell
> phones and smart cards as such devices? Has anyone thought about
> implementation issues with respect to this? Do we need to add text
> indicating that providing support for applications without
> general-purpose XML parsers is out of scope?
> 
> Regards,
> Yassir.
> 
> 
> 
>
Received on Monday, 25 February 2002 20:50:50 UTC