What will eventually become OAuth 2.0 is taking a first step.
After a couple weeks of intense discussions on the OAuth WG list, I pushed out a new draft defining the Token Access Authentication Scheme. The new scheme replaces the OAuth authentication scheme defined in OAuth 1.0, and defines instead a general purpose authentication scheme for both 2-legged and 3-legged use cases. It builds directly on the experience and ideas in OAuth 1.0 but significantly simplifies the protocol.
The new draft removes all the parameter encoding from the first version at the expense of removing support for some features. The most noticeable change is lack of specific support for query or form-encoded parameters. Query parameters are now included as part of the request URI as an opaque string. Body form-encoded parameter can be included by hashing the entire raw body.
Another big change is removing support for transmitting credentials using the URI query of form-encoded body parameters. The new scheme uses the HTTP Authentication framework exclusively and requires the use of the HTTP Authorization header field to send authentication parameters.
GET /resource/1 HTTP/1.1 Host: example.com Authorization: Token token="h480djs93hd8", method="hmac-sha-1", timestamp="137131200", nonce="dj83hs9s", auth="djosJKDKJSD8743243/jdk33klY="