How to model/account for IP-based authentication restrictions?

See #6 and #16. We know we have IP-based auth needs, and need to figure out how to address them. `acl:trustedOrigin` was proposed but it's not part of the core vocabulary yet. 
