What about sips:/TLS, S/MIME, and digest auth? These are all integral to the 'standard', and many popular implementations support these facilities currently.
IPSec may be less painful within a single domain, but in other cases, I'd think that these facilities (or their derivatives) are the only practical option for 'real' security. Granted it is all pretty worthless if you dont enable/use any of it... Am I missing something?
Regards,
Andrew Bender
taqua.com