OAuth 1st draft released

I'm a bit late on this, but the first draft of the OAuth spec has been published. OAuth is (very roughly) an OpenID equivalent for applications - it lets a 'consumer' application (the standard example seems to be a printing service) contact a service provider (continuing the example, say flickr) to request information from one of the service provider's users rather than the current trend of asking the user for their username and password then page-scraping. It works similarly to OpenID, in that if I went to the printing service's website and wanted to print some of my flickr photos, it would re-direct me back to flickr with a key for flickr. flickr itself would then ask me if I'm OK with it and, assuming I am, they send me back to the printer's website along with a matching key for the printing service to then access my flickr photos. If the big boys pick this up, it would hopefully lead to an end to the current method of requesting your username and password for another provider, which gives total access to the new website. The biggest current culprit is asking for your gmail/hotmail/yahoo login details to invite friends to a social network. It's clearly something users want to be able to do (if explained clearly and not the spam approach adopted by quechup among others), but handing over your username and password to other 3rd-party sites is far from ideal as it gives them total control over your account. OAuth would limit them to specific actions, such as retrieving your photos or address book and prevent them from impersonating you. Perhaps it's better described as your valet key for the web.