A security protocol entity (20) is provided that includes a mechanism for enabling a first party (11) to communicate securely with a second party (60) through an access-controlling intermediate party (13) by nesting within a first security session (64) established with the intermediate party (13) a second security session (65) with the second party (60). The protocol data units, PDUs, associated with the second security session (65) are encapsulated in PDUs associated with the first security session (64) when sent out by the first party, the intermediate party extracting the encapsulated PDUs for sending on to the second party (possibly with a change to the destination address included in the PDU to be sent on). Each PDU includes a message type field explicitly indicating to the intermediate party (13) if a received PDU encapsulates another PDU intended to be sent on. The establishment of a security session between two parties is made dependent on each party proving by attribute certificates that it has certain attributes required of it by the other party. Where the intermediate party (13) fronts for the second party (60) and the first party (11) initially contacts the intermediate party in the belief that it is the second party, then the latter will indicate its relay status to the first party which can then request the intermediate party (13) to permit a tunnel to be established through it to the second party (60). The first party may place different attribute requirements on the intermediate party in its tunnel role to those initially expected of it when the first party thought it was the second party.