> It is also solvable the "easy way" by > 1.) disallowing plain http, requiring https > 2.) via https, passing plain text authentication to retrieve a authentication > token (since this is a stateless protocol) > 3.) from now on, ping-pong the authentication token hash in the usual way 2+3 is exactly what we do now except for the https part which isn't really hard to "add" as long as the xml-rpc libs support (I think the Python implementation does).
Karsten -- GPG key ID E4071346 @ wwwkeys.pgp.net E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
