The problem with TLS and IPsec as security protocols for protecting Internet messages is that Internet messaging protocols don’t have a one-to-one mapping with the systems that carry Internet messages. Consider Internet email: One system is used by the originator of an email message to compose and submit the message to an SMTP server. That SMTP server may only be a relay, accepting messages from users and passing them along to another SMTP server that actually routes the messages to an SMTP server acting for the destination mailbox. From there, the message is stored on a POP server, which is accessed by the destination MUA. In all, there are five different application protocol interactions in a chain linking five different servers, using two different application protocols. Internet messaging security must be applied at a higher, rather than lower, protocol layer. Securing the link between the source MUA and its SMTP relay achieves next to nothing if the SMTP server connecting to the remote SMTP server across the open Internet is not secure. Applying IPsec or TLS in this case also offers relatively little benefit. Although the entity sending the message can use IPsec to securely tunnel packets to the SMTP relay and within that tunnel, use TLS to encrypt a virtual circuit, the source entity has no control over how other hosts beyond the SMTP relay handle their connections. We’ve already seen how SMTP, POP, and IMAP can use authentication extensions, but these precautions are useful only for protecting one interaction at a time. So even applying security at the individual application protocol layer, an approach that has been successful for other Internet applications, does not solve the problem for Internet messaging. The problem is that Internet messaging is a store-and-forward application. Building security between the entities that store and forward messages doesn’t address the fundamental problems of keeping messages private and preventing message forgery or alteration. In this section, we discuss what exactly messaging security entails in more detail.