We've been mentioning this only since 2001. Quoting myself:
http://www.opensrs.org/archives/dev-list/0112/0035.html
It seems to me (I might be wrong) that the OpenSRS engineers have
spent a good deal of effort to create parallel versions of the
XML-RPC and SSL protocols. [...] the connection preamble (client
validation, encryption set-up) could have been done via an SSL module.
Using client certificates would alleviate the need for the reseller
"cookie" and secret passwords. All these details are irrelevant to the
function the server performs and should be left to a lower layer.
Reiterated recently:
http://www.opensrs.org/archives/dev-list/0305/0035.html
I had suggested a while ago to have SSL replace the initial connection setup (reseller authentication and encrypted transport setup). SSL supports both client and server authentication, and is already available for most languages.
By replacing the reseller key with a client certificate using SSL-TLS
the API can be implemented completely at the application level which is
arguably a much cleaner thing to do anyway.
-- Regards, L.C. (Laurentiu Badea)
[EMAIL PROTECTED] wrote:
If communications are encrypted using SSL, that eliminates the need to do any encryption in the client code.
Has anyone brought up the possiblity of using SSL to do the encryption instead of using blowfish?
