Kurt Ward wrote:
b. transport: if we are going to have username and passwords flying over the wire, we need to protect them. XML-RPC over HTTPS? CHAP? Kerberos? Other thoughts?
XML-RPC over HTTPS is pretty straight-forward and easy for users to implement. The interactive admin tools I have been working on already does this using the Sun JSSE package (although I have not commited it to the scratchpad area yet). Creation of the random key to start an SSL connection is a slow, but the performance is satisfactory in my opinion.
Hmmm... I'm wondering if this startup delay will occur on every XML-RPC request: in this case it might be unaccettable in a production environment with lots of queries. Is it possible (I'm ignorant about JSSE) to cache a session-wide random key for reuse?
Ciao,
-- Gianugo Rabellino
