[okfn-help] Remote annotation service authentication notes

Nick Stenning nick at whiteink.com
Mon Dec 6 15:33:32 GMT 2010

Dear Rufus, and anyone else that's interested,

We've been discussing for a while the possibility of having a
generalised "annotation service", that serves as a third party storing
annotations for "consumer" services such as OpenShakespeare, Comment
On It, Weaving History. If possible, we might also like users to be
able to sign up directly to the annotation service, so that they can
annotate anything on the web by clicking on a bookmarklet.

Rufus and I have had a few discussions about the first of these two
possibilities. Specifically, we've been wrestling with the issue of
how we authorise users' browsers to create annotations on a Consumer's
behalf? There are three entities involved:

1) The Service Provider (e.g. annotations.okfn.org or something similar)
2) The Consumer (e.g. OpenShakespeare)
3) The User (and the User Agent)

Initially, the Consumer must register with the Service Provider: "I
would like you to store my users' annotations on my behalf"

After that, I'd like communication between the Consumer and the
Service Provider to be minimal, and for annotations to be created only
by communication between the Consumer and the User, and the User and
the Service Provider.

I've put up a broad overview of a protocol that would allow this to work at


(See below "Authentication" heading...)

If anyone -- particularly those with a security background -- fancies
looking this over, I'd appreciate any input.

Best wishes,

More information about the okfn-help mailing list