Web services

Hi there,
my team in UPC Barcelona is working in a crusade of implementing a contrib webservices layer implementing some OKI OSID's ... this is for a research project that may lead to somewhere sometime. I believe that our work can be useful as a starting point to implement a specific webservices layer for moodle, as we are discussing here.

I've got an intriguing question about autentication. Shall an external client be allowed to autenticate a user? For example a cell phone moodle client (we have a prototype of those) should not send username nor passowords over the net to autenticate its holder. How do we deal with this ? To make this kind of things work in our OKI adventure we needed to implement a installation process of the client application (involving the administrator) were the client application and the moodle server set up the rights and grade of trust that the client application should credit for.

Any insights ?
Ludo