Folks: (I hope others will start posting here as well :)) I am thinking about security issues for my networked application. Specifically how to authenticate a user properly, so a server can trust the client talking to it is doing so on behalf of the correct user, and the client can trust that the server it is talking to in fact represents a valid server for the application, and can autheticate this. I havent read up on things like public key infrastructures or whatnot else. If someone else has run into this problem before, and is willing to share some of what they learned, I think that would be valuable to the list. Basically I see the security issue broken up into sections. 1) transport security: being able to send data/information without compromise of the information (generally handled by TLS, SSL, etc) 2) user authentication: being able to verify the identity of the user of the service 3) server authentication: being able to verify the identity of the server and service (generally handled by certification authorities and server certificates). I look at each transaction between server and client as needing to be secure in the sense of the above list (and possibly others I have not considered). Are there any good discussions of this type of security in book or URL formats? I am looking for practical examples I can use/learn from. If you have any experience with these issues, please feel free to talk about them here. Thanks again! Joe