On Mon, Mar 8, 2010 at 6:58 PM, John Panzer <jpan...@google.com> wrote:
> On Mon, Mar 8, 2010 at 5:38 AM, Torsten Lodderstedt < > tors...@lodderstedt.net> wrote: > >> ... >>> >>> 1. Connection latency to bootstrap the connection (from the >>> asymmetric/public-key encryption operations) >>> >> >> Bootstrapping a SSL sessions is expensive. But every session can be >> used for multiple HTTPS-Connections. Thus an application can establish the >> first >> HTTPS connection in the background before any user interaction takes place >> and >> reuse the session for further communication. >> > > I think this point is worth calling out (and doing a bit of prototyping on) > -- if the use case is a latency-sensitive client app that wishes to avoid > cold-start HTTP(s) connections, then a warmup connect() or just an > idempotent GET while the app is starting up / coming to the foreground could > be a very good idea. Good even without SSL, due to DNS overhead, and even > more useful with SSL. This could allow many apps to hide the latency hit > from the user almost completely. > > If this is true, then it may mean that the SSL overhead would be a problem > in far fewer cases than it might appear at first glance. > > I am developing Android apps using a Security Token Service which forces use of SSL. I ran exactly into the issue that the first request is expensive, due to establish the SSL session between the Android app and the server. To reduce the latency time for the first HTTPS request with user interaction, I did exactly what you described: I run a simple GET request during app startup, in background, reuse the HttpClient for further requests. The required time has been reduced about 1 sec (exact time depends on device and hardware capabilities), resulting in absolute processing times in range of about 100-200 ms, not seconds (depends mainly on server and token requirements). I agree, that SSL simplifies the requirements for the client and client developer. Every library on client you do NOT need, reduces complexity and dependencies to other 3rd party libraries. Even generating nounces and timestamps on client requires additional state to be maintained somewhere within your app. Cheers, Jochen
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
