RE: WAP issues with XKMS [was RE: Mobile XKMS clients] from Deacon, Alex on 2002-03-01 (www-xkms@w3.org from March 2002)

From: Deacon, Alex <alex@verisign.com>
Date: Fri, 1 Mar 2002 15:28:33 -0800
To: "'Ed Simon'" <edsimon@xmlsec.com>, www-xkms@w3.org
Message-ID: <FBDFBCB7591BD611AB4A00D0B79E60B004A46F@vhqpostal2.verisign.com>
All,

Here is the paper I mentioned in a previous email.  It was presented by
Ericcson to the WAP Security Group (WSG) in Sep 2001 and compares XKMS
Validate with CRL's and OCSP.   The authors have given me permission to post
it to this list.  

Note that I believe this paper makes some incorrect assumptions that skew
the results a bit (i.e. they didn't consider cert chains longer than 1), but
it is interesting none the less.

Regards,
Alex
 

> -----Original Message-----
> From: Ed Simon [mailto:edsimon@xmlsec.com]
> Sent: Wednesday, February 27, 2002 7:07 AM
> To: www-xkms@w3.org
> Subject: Re: WAP issues with XKMS [was RE: Mobile XKMS clients]
> 
> 
> I can't think of any constrained-xmldsig specifications 
> offhand.  After all,
> XML Signature only became a Recommendation last week.
> 
> That said, there are a number of potential XML Signature processing
> optimizations that could be implemented, they would need to 
> be selected
> according to the specific needs of the system in mind.  Let 
> me emphasize
> that these wouldn't be optimizations to the XML Signature spec but
> reasonable constraints on the data being signed and optimized 
> code written
> particularly for those constraints.
> 
> So the first thing to do is to get a firm understanding of XKMS use in
> mobile devices and smart cards including what constraints can 
> be placed on
> the XKMS , then identify the potential optimization 
> possibilities, and then
> finally, write some specialized code to see if it the results 
> are what were
> hoped for.  Though the topic is specifically interesting to 
> me, I can't
> commit to anything major on it until I've confirmed I've got 
> the resources
> necessary for it.
> 
> Regards, Ed
> 
> ----- Original Message -----
> From: "Stephen Farrell" <stephen.farrell@baltimore.ie>
> To: "Ed Simon" <edsimon@xmlsec.com>
> Cc: <www-xkms@w3.org>
> Sent: Tuesday, February 26, 2002 8:08 AM
> Subject: Re: WAP issues with XKMS [was RE: Mobile XKMS clients]
> 
> 
> >
> > Ed,
> >
> > On the first issue - have we any examples of a constrained-xmldisg
> > specification?
> >
> > Stephen.
> >
> > Ed Simon wrote:
> > >
> > > Alex wrote
> > > > 1) Because its not possible (and perhaps impossible) to 
> support a
> general
> > > > purpose XML parser and more importantly a full XML dsig 
> implementation
> on
> > > > constrained devices, it would be necessary to create a 
> dsig profile
> for
> > > XKMS
> > > > messaging.  For example, is full XPath support necessary?
> > >
> > > Individual protocols can certainly decide not to use 
> XPath or other
> features
> > > of XML Signature; indeed the XML Signature schema 
> specifically allows
> great
> > > flexibility in subclassing.   However, all protocols, no 
> matter how they
> > > subclass XML Signature, must however ensure they are 
> using XML Signature
> in
> > > a secure and sufficiently interoperable manner.
> > >
> > > I'm interested in the question about determining what 
> degree of XML
> > > processing will be available on "constrained" devices.   I'm not
> > > knowledgeable enough in this area but it seems to me that 
> there are so
> many
> > > XML technologies that will be desired on such devices 
> (eg. SVG, Web
> > > services,...) that it would make sense (even in a constrained
> environment)
> > > to have a reasonably adequate level of generic XML 
> processing available.
> > >
> > > > 2) The size of a signed XKMS message is to large, 
> leading to bandwidth
> > > > issues.  For example, a typical signed XKMS Validate 
> response can run
> > > about
> > > > 2.5K.  On some networks this would cost the user 
> between 7 and 10
> cents!
> > > > (Data from a major European operator)   This seems to 
> have been the
> major
> > > > issue with the vendors and caused them to stick to their smaller
> > > proprietary
> > > > structures and to consider ASN.1 based protocols such 
> as OCSP for
> > > validation
> > > > instead of going with XKMS.
> > >
> > > Again, I'm no expert in wireless but 4cents per kilobyte 
> sounds strange
> to
> > > me as a design parameter.  I thought 3G wireless was good 
> for say, at
> least
> > > 10 kB/second.  Does that mean on 3G, I'd be spending 40 
> cents/second,
> > > $24/minute!, on a 3G network!!!
> > >
> > > Ed
> >
> > --
> > ____________________________________________________________
> > Stephen Farrell
> > Baltimore Technologies,   tel: (direct line) +353 1 881 6716
> > 39 Parkgate Street,                     fax: +353 1 881 7000
> > Dublin 8.                mailto:stephen.farrell@baltimore.ie
> > Ireland                             http://www.baltimore.com
> >
> 
>
Attachments

application/octet-stream attachment: ip-CertValEval.zip
Received on Friday, 1 March 2002 18:28:01 UTC