[Zope] Security + XMLRPC

[chas]

Using Zope for B2B. Partner websites take orders from their 
staff or clientel and relay those orders to us. So, the actual
communications between these participating companies' servers 
and our own server are totally automated. 

Security exists at 3 layers :

a) Host/IP - we've already filtered hosts that can connect to us 
   based on IP. But, since IPs can be spoofed, we may buy hardware 
   VPN solutions. (problem : hardware vpn can be expensive for our
   partners or even impossible if they are colocating)

b) Protocol. At the moment I've got a prototype running with XMLRPC
   which was damned easy to create. However, there is no security 
   mechanism built into XMLRPC (or at not that I can see). So, all 
   data is transfered in the clear.

c) The data/information itself. Since there is no authentication 
   with XMLRPC, the data itself is encoded (using rotor and other 
   simple python encryption modules) with a unique key that we will
   provide to each participating company/site.

I really like using XMLRPC but is the above simply a disaster 
waiting to happen ?  Would CORBA, HTTPS (ie using SSLeay), or SSH 
be better suited ? And is anyone already doing anything like this ? 

Thanks in advance,

chas