I think I have a rather unusual situation... I need to authenticate:
  • my Lobo plugin with the server, and
  • the server (actually, an HTTP response) with my user.
(See JavaForge: Gryphon for what I'm doing.)

The first is the trickier of the two, because the open-source plugin must be distributed freely to users and all copies must have the same private key. (Each server will have copies of the plugin's public key.)

But the second is also pretty tricky in a similar way. I think the response will be dynamic, so the private key needs to be available for signing at runtime. Also, the private key will be the server's... Would it be best to supply an interface (or abstract class?) for the server to implement, and pass the response to be signed through a method in that interface?