For the purposes of securing the Remoting 3 HTTP transport, I intend to rely on HTTPS and standard HTTP authentication mechanisms to provide the authentication and encryption for the transport.

Another possibility would be to use a SASL layer nested inside of the HTTP request body. However, because the user-provided message headers would not be encrypted if this option were followed, I opted against it. In addition, it makes more sense to me to reuse existing mechanisms rather than invent new ones.

Any comments?