It's come to my attention that work is under way to separate access control of geospatial web services from digital rights management. A wise thing to do, and not only because GeoDRM is a non-starter. The access control problem has already been solved by the pioneers of internet commerce. If you don't believe me, go read the Apache httpd authorization and authentication docs. Anybody have an access use case that can't be solved by an Apache proxy, mod_rewrite fu, and tweaking of row/column privileges in your data store? It would have to be quite the corner case.