The encryption can be performed in one of two ways. The first is to add an interceptor before the remoting or within the data marshaller implementation (I need to make the second a little easier to do). The other is to have a SSL transport (i.e. https).
I don't want to have authentication be part of the core remoting. When being used within an ejb call, this is already takend care of as is an interceptor before and after remoting (the payload just contains the security information). However, using remoting stand alone, want to be able to provide a way to do this. Also, when dynamic classloading is added back in, will then have to make remoting aware of authentication (at least indirectly).
As for timeframe, https invoker is a little ways out as am just starting on the http invoker implementation. A simple encryption marshaller would be fairly simple to write, if need something soon. What is your timeframe for needing this? Don't guess you would have extra cycles to help on this?
Yes, security should be an aspect integrated via an interceptor. There are areas where the transport details do matter for security. One is when security depends on the client endpoint. Another is when you need feedback from the transport on the security context. SSL and IIOP both have such notions.
Something to consider integrating with JBoss/Remoting for security:
I just took a quick look at it - seems to be a Java implementation of SSH2 - so data encryption and authentication can be handled. They say its a pure Java implementation, so no native stuff.