Re: [OAUTH-WG] Signatures, Why?

2010-03-08 Thread Jochen Hiller 
On Mon, Mar 8, 2010 at 6:58 PM, John Panzer  wrote:

> On Mon, Mar 8, 2010 at 5:38 AM, Torsten Lodderstedt <
> tors...@lodderstedt.net> wrote:
>
>> ...
>>>
>>> 1. Connection latency to bootstrap the connection (from the
>>> asymmetric/public-key encryption operations)
>>>
>>
>> Bootstrapping a SSL sessions is expensive. But every session can be
>> used for multiple HTTPS-Connections. Thus an application can establish the
>> first
>> HTTPS connection in the background before any user interaction takes place
>> and
>> reuse the session for further communication.
>>
>
> I think this point is worth calling out (and doing a bit of prototyping on)
> -- if the use case is a latency-sensitive client app that wishes to avoid
> cold-start HTTP(s) connections, then a warmup connect() or just an
> idempotent GET while the app is starting up / coming to the foreground could
> be a very good idea.  Good even without SSL, due to DNS overhead, and even
> more useful with SSL.  This could allow many apps to hide the latency hit
> from the user almost completely.
>
> If this is true, then it may mean that the SSL overhead would be a problem
> in far fewer cases than it might appear at first glance.
>
>
I am developing Android apps using a Security Token Service which forces use
of SSL. I ran exactly into the issue that the first request is expensive,
due to establish the SSL session between the Android app and the server. To
reduce the latency time for the first HTTPS request with user interaction, I
did exactly what you described: I run a simple GET request during app
startup, in background, reuse the HttpClient for further requests. The
required time has been reduced about 1 sec (exact time depends on device and
hardware capabilities), resulting in absolute processing times in range of
about 100-200 ms, not seconds (depends mainly on server and token
requirements).

I agree, that SSL simplifies the requirements for the client and client
developer. Every library on client you do NOT need, reduces complexity and
dependencies to other 3rd party libraries. Even generating nounces and
timestamps on client requires additional state to be maintained somewhere
within your app.

Cheers, Jochen
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Signatures, Why?

2010-03-08 Thread Jochen Hiller 
Hi Brian,

On Mon, Mar 8, 2010 at 8:46 PM, Brian Eaton  wrote:

> On Mon, Mar 8, 2010 at 11:21 AM, Jochen Hiller 
> wrote:
> > The
> > required time has been reduced about 1 sec (exact time depends on device
> and
> > hardware capabilities), resulting in absolute processing times in range
> of
> > about 100-200 ms, not seconds (depends mainly on server and token
> > requirements).
>
> How much of the time savings was due to reducing network latency?  My
> guess is most of it, but if you saw differently that would be very
> interesting.
>

You are right: I forgot to mention "depends on network" for time reduction.

I do not (yet) have a regression test regarding performance measurements and
HTTPS. But that would be a good idea to get a better understanding where
time will be spent.

I will setup a simple JUnit testcase which takes performance measurements,
and keep you informed.

Bye, Jochen
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth