FYI: Most of the specification has been implemented and is in the OpenACS CVS if you want to poke around (there should be some documentation in there too).
http://cvs.openacs.org/cvs/openacs-4/packages/acs-authentication/