OAuth enables a very simple type of delegation, a user can delegate permissions between two services that they have accounts on. In other words, OAuth lets a user delegate permission to themself. But full delegation allows arbitrary users of arbitrary services to give permissions to each other. In this article I summarize the two key extensions to OAuth needed to enable it to do full delegation. The first is ’on behalf of’ (e.g. a service saying ”I am making this request on behalf of user X”) and the second is a very simple directory service. The rest of the article tries to use something like plain English to explain how these features could work in OAuth. (more...)

Having a finger service as a directory to find information about users and services appears to be absolutely necessary if ad-hoc information sharing between people and services is to be possible. But just having a way to finger a person or service is less than 1/2 the battle. The real challenge is making it possible for services to update their user’s finger information in an ad-hoc manner. I explore the issues around dynamic finger update in this article. (more...)