Hello Yann,
I guess this question is for me, not the doc :)
Yep!
[...] So, finally, mentioning that *any* ip/host-based authz should be combined with other authz/authn (SSL certificates, credentials schemes, ...) for stronger requirements may be the way to go.
I agree that combining authz is the way to go, esp. with sensitive applications which are more and more hosted outside of organizations, or even provided as SaaS.
I'm not sure of a good place to discuss authorization policies in general in the documentation though.
Or maybe simply not change the doc since all this might be quite obvious...
I would be fine with this solution:-) -- Fabien.
