Kan Zhang wrote:
One problem I see with using HTTP is that it's expensive to provide data encryption. We're currently adding 2 authentication mechanisms (Kerberos and DIGEST-MD5) to our existing RPC. Both of them can provide data encryption for subsequent communication over the authenticated channel. However, when similar authentication mechanisms are specified for HTTP (SPNEGO and HTTP DIGEST, respectively), they don't provide data encryption (correct me if I'm wrong). For data encryption over HTTP, one has to use SSL, which is expensive.
Java supports using Kerberos-based encryption for TLS (nee SSL): http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#KRB http://tools.ietf.org/html/rfc2712 There's also a standard way to use tickets over TLS: http://tools.ietf.org/html/rfc4507 Doug
