> 3. AAA > Badly needed, on two sides: > > a. Server side: not that hard to implement, after all, at least on a > not-so-granular way. We might go the hard way with security-oriented > markup languages and node based security or just rely on URI-based > authentication, with a Tomcat/Slide/younameit-like role system. I'd go > for the latter: Collection based security should be enough for most needs. > > b. transport: if we are going to have username and passwords flying over > the wire, we need to protect them. XML-RPC over HTTPS? CHAP? Kerberos? > Other thoughts?
XML-RPC over HTTPS is pretty straight-forward and easy for users to implement. The interactive admin tools I have been working on already does this using the Sun JSSE package (although I have not commited it to the scratchpad area yet). Creation of the random key to start an SSL connection is a slow, but the performance is satisfactory in my opinion. Kurt
