Ryan Paul has a good expansion at Ars of an O’Reilly Radar piece I noticed a little while back. Ryan backs up a bit to give a background on existing authentication systems and the problems inherent in using them effectively on the web. He then charts out the current and future versions of OAuth on a trajectory starting with addressing what he describes as the password anti-pattern on through streamlining this potentially more secure scheme into the same sort of simplicity HTTP’s native authentication schemes enjoy.
Part of how the stop-gap OAuth WRAP achieves its streamlining is by pushing encryption to lower down in the stack, taking advantage of the tried and true SSL/TLS commonly available on most web servers. Ryan provides some more links to supplement David Recordon’s explanation of this stop-gap solution to OAuth’s complexity. WRAP is meant to serve in the meantime as the various stakeholders work on the 2.0 version of OAuth in cooperation with the IETF.
Ryan Paul has some decent coding chops under his belt, in addition to working as a tech journalist. I enjoy his detailed coverage, like this article, of new and updated technologies from the perspective of the hacker struggling to use them. If he is optimistic about WRAP and OAUth 2.0, I think there is genuine cause to look forward to future developments.