This is to follow up on something I wrote earlier about anonymous authorization with tokens.
The token would be in XML structure and be digitally signed. Very similar to SAML tokens in some ways.
The tokens are linked to the resource they grant access to and the user authorized to used them, with two digital signatures, one “on top of” the other. Where the one on top is created by the private key that also signed the resource the token grants access to, and the other one is by the authorized users own private key.
So much for how the token can be reliably be established as authentic and authoritative.
But what about linking to the request itself. The token is passed along with the request. In the HTTP headers in most cases. The cryptographic handshake established the users authority t use the token. And the user may pass along any number of token along with the request.
But the recipient must also be able to establish that the token(s) govern(s) the request at hand not just that the user is authorized to use it(them)
Inside the token will be more XML and it will follow the conventions of the proposed Portable Authorization Management Language, PAML. These kinds of tokens are therefore named PAML tokens.