> Applications can gain a lot of security by building on top of a lower 
> layer secure communication substrate, such as that provided by IPsec 
> or TLS.  Such substrates allow the application developer to make 
> assumptions about the security of the basic communication path, and 
> have these assumptions be valid.  Precisely the sorts of things you 
> are citing as "bad" can be addressed in this way.  Fancier 
> application security requires some level of customization, perhaps in 
> an application-specific fashion, as you noted.

I beg to differ.  Few applications can use IPsec or TLS authentication 
as-is.   A few more can get away with using username/password schemes
on top of IPsec or TLS privacy.  But neither IPsec nor TLS is anything
resembling a generally applicable authentication solution.  


Reply via email to