*snip*
>> My thinking is firstly to require all clients to provide a public
>> digital
>> certificate, then when they request the data send something like.
>>
>> <data_transmission>
>>   <key>
>>     AES key that has been encrypted with PGP using the public key
>>   </key>
>>   <data>
>>     data encrypted with AES using the un-encrypted key
>>   </data>
>> </data_transmission>
>>
>> Then when the client recieves the data, they un-encrypt the key with
>> their
>> private key, and then un-encrypt the data.
>>
>> Firstly, is this approach secure?
>
> If you implement it correctly, this is the "standard" approach

*snip*

This isn't something I've got a lot of experience of, but...

It's worth pointing out that you probably wouldn't send the lump of XML
above. If you do this, you'll have to get your software to manage
encryption, decryption, key sharing, and lots of other fluf that I doubt
you care about.

What you'd probably do instead is simply communicate over a secure
socket, and pretty much forget about encryption. Your program may be
entirely oblivious to it, in fact, or may be a little aware in that it
knows it's setting up a secure socket, or perhaps checks that the socket
creation parameter it's been given results in a secure socket. Something
like that.

As the first poster said, I think it's likely that:

> The library you are interested in is OpenSSL

Cheers,
  Benjohn