Domain Federation Protocol
Domain Federation Protocol was a proposed specification for a mechanism for ad-hoc authentication between websites, using a dialback mechanism to turn domain names into identities.
Brad Fitzpatrick and Brett Slatkin based the fundamental idea behind PubSubHubbub on XMPP PubSub, a system for distributing push notifications over XMPP. While I was working with them to draft the specification I realized that the ability to verify ownership of a URL -- a key security technique in PubSubHubbub -- would be a useful building block for other applications on the federated social web.
I set about trying to adapt XMPP's dialback mechanism to HTTP. While XMPP uses TCP sockets to establish a long-running session, I took inspiration from how web applications maintain sessions using bearer tokens in cookies and invented a simple protocol for performing dialback and exchanging such tokens.
The high-level request flow is as follows:
Since there is lots of chatter in establishing an association, the dialback association is established as a separate step before making any other requests. The token can then possibly be used for many requests before it expires and a new token must be requested. Since the association happens out of band of any "real" request, an implementation can also pro-actively attempt to refresh associations for domains it expects to contact so that the dialback process won't block a later operation.
The Domain Federation Protocol makes the assumption that once a caller has proven ownership of a domain it is free to "act as" any user under that domain, using the familiar user@domain syntax of email addresses. This makes Domain Federation Protocol particularly suitable for interaction of domains that each have hundreds, thousands or even millions of users since only one association needs to be maintained no matter how many users are communicating.
The primary use I imagined for this protocol was to use it in conjunction with Activity Streams to transmit activities, messages and other content between different social web nodes. In the mean time, Evan Prodromou defined a similar protocol which is implemented in his project pump.io. Given that the two protocols are largely redundant and that pump.io is a more mature product than my prototypes, I suggest that those who are interested in the idea of dialback verification consider Evan's protocol instead.