Re: WAP issues with XKMS [was RE: Mobile XKMS clients] from Stephen Farrell on 2002-02-26 (www-xkms@w3.org from February 2002)

From: Stephen Farrell <stephen.farrell@baltimore.ie>
Date: Tue, 26 Feb 2002 14:47:24 +0000
To: stef.hoeben@utimaco.be
CC: www-xkms@w3.org
Message-ID: <3C7B9FFC.AD6868CA@baltimore.ie>
Stef,

> (you mean implementation instead of specification?)

No I meant specification. I can see how to write code that
only handles certain xml signatures, but I'm not sure how
to show two different programmers a way to do this 
consistently with one another.

> A XML 'parser' to do only an XKMS Validate can be very small
> (I guess 5 K of Java code could be enough).
> 
> XML DSIG is will be allready a lot heavier, even if you
> would limit it to e.g. a SHA1withRSA enveloped signature
> and the simplest canonicalization.
> But do you need XML signature? It's not required for XKMS
> if you have sufficient transport-level security (e.g. a WTLS
> connection to the XKMS service, ...).

For validate-only clients, TLS, WTLS etc are IMO fine as
an option as you state. If I also had the option handling 
signed responses then there'd be no need to directly connect to 
the xkms responder.

I'd also be interested in knowing how lightweight an xkms 
client could be and still handle register messages.

However, since none of the above is critical for progressing 
the requirements document, maybe we can leave this until
someone does write the "small xmldsig" document?

Stephen.




> 
> Cheers,
> Stef
> 
> > >Ed,
> > >
> > >On the first issue - have we any examples of a constrained-xmldisg
> > >specification?
> > >
> > >Stephen.
> >
> > Ed,
> >
> > On the first issue - have we any examples of a constrained-xmldisg
> > specification?
> >
> > Stephen.
> >
> > Ed Simon wrote:
> > >
> > > Alex wrote
> > > > 1) Because its not possible (and perhaps impossible) to support a
> > general
> > > > purpose XML parser and more importantly a full XML dsig
> implementation
> > on
> > > > constrained devices, it would be necessary to create a dsig profile
> for
> > > XKMS
> > > > messaging.  For example, is full XPath support necessary?
> > >
> > > Individual protocols can certainly decide not to use XPath or other
> > features
> > > of XML Signature; indeed the XML Signature schema specifically allows
> > great
> > > flexibility in subclassing.   However, all protocols, no matter how
> they
> > > subclass XML Signature, must however ensure they are using XML
> Signature
> > in
> > > a secure and sufficiently interoperable manner.
> > >
> > > I'm interested in the question about determining what degree of XML
> > > processing will be available on "constrained" devices.   I'm not
> > > knowledgeable enough in this area but it seems to me that there are so
> > many
> > > XML technologies that will be desired on such devices (eg. SVG, Web
> > > services,...) that it would make sense (even in a constrained
> > environment)
> > > to have a reasonably adequate level of generic XML processing
> available.
> > >
> > > > 2) The size of a signed XKMS message is to large, leading to
> bandwidth
> > > > issues.  For example, a typical signed XKMS Validate response can run
> > > about
> > > > 2.5K.  On some networks this would cost the user between 7 and 10
> > cents!
> > > > (Data from a major European operator)   This seems to have been the
> > major
> > > > issue with the vendors and caused them to stick to their smaller
> > > proprietary
> > > > structures and to consider ASN.1 based protocols such as OCSP for
> > > validation
> > > > instead of going with XKMS.
> > >
> > > Again, I'm no expert in wireless but 4cents per kilobyte sounds strange
> > to
> > > me as a design parameter.  I thought 3G wireless was good for say, at
> > least
> > > 10 kB/second.  Does that mean on 3G, I'd be spending 40 cents/second,
> > > $24/minute!, on a 3G network!!!
> > >
> > > Ed
> >
> > --
> > ____________________________________________________________
> > Stephen Farrell
> > Baltimore Technologies,   tel: (direct line) +353 1 881 6716
> > 39 Parkgate Street,                     fax: +353 1 881 7000
> > Dublin 8.                mailto:stephen.farrell@baltimore.ie
> > Ireland                             http://www.baltimore.com
> 
> --
> ____________________________________________________________
> Stephen Farrell
> Baltimore Technologies,   tel: (direct line) +353 1 881 6716
> 39 Parkgate Street,                     fax: +353 1 881 7000
> Dublin 8.                mailto:stephen.farrell@baltimore.ie
> Ireland                             http://www.baltimore.com

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com
Received on Tuesday, 26 February 2002 09:47:29 UTC