> Kurt Ward wrote: > > > b. transport: if we are going to have username and passwords flying over > > the wire, we need to protect them. XML-RPC over HTTPS? CHAP? Kerberos? > > Other thoughts? > > > > > > XML-RPC over HTTPS is pretty straight-forward and easy for users to > > implement. The interactive admin tools I have been working on already does > > this using the Sun JSSE package (although I have not commited it to the > > scratchpad area yet). Creation of the random key to start an SSL connection > > is a slow, but the performance is satisfactory in my opinion. > > Hmmm... I'm wondering if this startup delay will occur on every XML-RPC > request: in this case it might be unaccettable in a production > environment with lots of queries. Is it possible (I'm ignorant about > JSSE) to cache a session-wide random key for reuse?
The random key is not generated on each request. On initial startup of an XML-RPC client, it takes ~3-4 seconds to generate the key. After that, the key is reused and speed degradation is not very noticable. (Maybe 30ms or so?). Kurt
