The IPSec architecture document states that when 2 transport

The IPSec architecture document states that when 2 transport mode security associations (SAs) are bundled to allow both AH and ESP protocols on the same end-to-end flow, only 1 ordering of security protocols seems appropriate: performing the ESP protocols before performing the AH protocol. Why is this approach recommended rather than authentication before encryption? In the secure sockets layer (SSL) and transport layer security (TLS), why is there a separate change cipher spec protocol rather than including a change_cipher_spec message in the handshake protocol?