I can certainly understand the need for access control & security,
but with the use of a smart-card one-time password system, this is
a moot point.
Huh? How are you going to stop a system from "illegally"
(in the sense of the provider, contracts, or whatever)
acting as -say- www, ftp, or whatever server with such
a one-time password system? You'll need access control
*based on IP addresses* to reach that goal!
Perhaps you would like to flesh out these requirements
with Dave O'Leary for the PIER WG. This was an area
that was of particular concern, in an environment where
renumbering is a fact of life.
--bill