Originally designed for sharing information among researchers, the Internet is now being used for a growing number of business-to-business and business-to-consumer interactions. These interactions require a sufficient level of security, ranging from the correct identification of participants to secure, encrypted payment methods and nonrepudiation interactions. The Internet grew out of the academic community, so security mechanisms that applications could build on were not part of the original protocol and service design. Instead, different and incompatible mechanisms were attached to some individual applications (e.g., passwords for telnet and FTP), while other services (most routing protocols, SMTP, etc.) were not secured at all, or were secured only by limited or proprietary mechanisms.

It is astounding that the Internet has functioned properly for more than 20 years despite these security flaws, which are compounded by security defects in the operating systems, middleware, and application software that is used on systems connected to the Internet. During the discussion on the redesign of the current Internet Protocol Suite, it became clear that a redesign should also incorporate some basic security features that could be used “as is” on every Internet-enabled platform. The intent was for these features to provide some minimum level of security against many Internet-based attacks and form well-known and tested building blocks for applications and middleware ...