Archive of UserLand's first discussion group, started October 5, 1998.

Re: XML-RPC via E-mail

Author:Jim Flanagan
Posted:7/6/1999; 9:49:56 AM
Topic:XML-RPC via E-mail
Msg #:8241 (In response to 8234)
Prev/Next:8239 / 8242

[T]he issue of privacy and security would be better dealt with within the XML-RPC spec, independent of transport type.

I agree. I have been doing some thinking about this in deploying XML-RPC in authenticated environments, and I came up with something which is inside out from what you describe. Instead of encrypting the entire contents of the payload (which could be costly) and relying on the encryption mechanism for authentication, it might make more sense to separate encryption and authentication for environments which do not require encryption.

I have been working on an authentication/key-exchange which is "cryptography free" (envision author using index and middle fingers of each hand held above head to indicate quotes) in that it uses only an md5-based HMAC to prove identities and exchange a session key. (it turns out that, in some places, computing the XOR of data with a hash of some other data is "cryptography" in the legal sense).

MD5 is advantageous because is quick and ubiquitous. After the session key has been negotiated, (a couple of exchanges, optionally one exchange with a trusted-third party) an authenticated XML-RPC message within a session might look like the snippet below. It only adds a little bit to the payload.

I can go into more detail if there is some interest in pursuing the topic of authenticated XML-RPC. A spec should be flexible enough to incorporate several styles of authentication (e.g. Kerberos).


This page was archived on 6/13/2001; 4:51:17 PM.

© Copyright 1998-2001 UserLand Software, Inc.