Re: WAP issues with XKMS [was RE: Mobile XKMS clients] from Stephen Farrell on 2002-02-26 (www-xkms@w3.org from February 2002)

From: Stephen Farrell <stephen.farrell@baltimore.ie>
Date: Tue, 26 Feb 2002 13:06:55 +0000
To: www-xkms@w3.org
CC: "Deacon, Alex" <alex@verisign.com>, "'Blair Dillaway'" <blaird@microsoft.com>, Yassir Elley <yassir.elley@sun.com>
Message-ID: <3C7B886F.ABCD5A01@baltimore.ie>

This reminds me of something I meant to clear up before but
didn't.

> 2) The size of a signed XKMS message is to large, leading to bandwidth
> issues.  For example, a typical signed XKMS Validate response can run about
> 2.5K.  On some networks this would cost the user between 7 and 10 cents!
> (Data from a major European operator)   This seems to have been the major
> issue with the vendors and caused them to stick to their smaller proprietary
> structures and to consider ASN.1 based protocols such as OCSP for validation
> instead of going with XKMS.

Wasn't it also the mandatory additional roundtrip compared to (say) a 
pre-cooked OCSP response that was unpopular?

If so (and I haven't checked back), would we want to accept a requirement
on us to allow support for pre-cooked validate responses? What I mean 
by pre-cooked is shown in the following scheme, where Bob sends Alice 
a pre-cooked xkms-response:

1. Alice asks Bob to send her a signed foo
2. Bob asks xkms responder to validate his signing key
3. Bob sends signed-foo+xkms-response to Alice
4. Alice checks signature and xkms-response

What Alice gets from this is to know that according to the responder
Bob's key was ok recently.

A variant of this would be where Alice provides (at 1) a nonce
that's to be present in the xkms-response at 4. That gives Alice
some freshness.

Anyway, my questions to you all are:-

- do we want to allow this type of thing? (now,later,never)
- is it allowed/prevented by the current requirements document?
- if not, what language to add to allow/prevent it?

Stephen.

> 
> Ericcson published a technical paper on the concept of certificate
> validation in a WAP environment.  They compared CRL's, OCSP and XKMS.  I
> didn't agree with most of their assumptions, however it was interesting none
> the less.  If people are interested I'll ask the authors if I can post the
> paper to this list.
> 
> Regards,
> Alex

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

Received on Tuesday, 26 February 2002 08:07:05 UTC