Hi Brad, Great talk. Since it's security related, I thought I'd mention to you and the rest of the list a discussion that look place last week in a Data Science meeting. If you or anyone has an feedback about this, please let me know! Thanks, Phil p.s. The message I just sent: Just a quick follow up to the question about storing passwords in a config file for a SWORD* client to communicate with DVN's upcoming Data Deposit API. I think the *right* way to do this is to somehow implement the passing of API keys rather than usernames and passwords but I checked with other implementers of the SWORDv2 protocol and no one seems to be doing this yet as it has been deemed "Too Hard": http://www.mail-archive.com/sword-app-tech@lists.sourceforge.net/msg00340.h… The spec lead for SWORD seems eager to know if there is anything in the spec that would preclude anyone from implementing API keys so maybe someone will figure this out in the future. In the meantime, as I mentioned, in all of my testing I'm sending usernames and passwords over HTTPS, so they are encrypted across the wire. Perhaps in the dvn_client** we demo'd we could at least encrypt the password in the config file so it isn't visible in clear text. And we could encourage people using the Data Deposit API to do the same. The encryption would need to be reversible, however, since the actual password needs to be sent to use the SWORD protocol. For more detail on all of this, please see DVN Suggestion #3208 - Allow the Data Deposit API to use API keys: https://redmine.hmdc.harvard.edu/issues/3208 Phil * SWORD stands for Simple Web-service Offering Repository Deposit: http://en.wikipedia.org/wiki/SWORD_%28protocol%29 ** https://github.com/dvn/swordpoc/tree/master/dvn_client On Thu, Jul 25, 2013 at 1:51 PM, Frank, Bradley <bfrank(a)hmdc.harvard.edu> wrote: -- Philip Durbin Software Developer for http://thedata.org http://www.iq.harvard.edu/people/philip-durbin