Here is an overview of the authentication flow that we referenced at a high level in the post on identity. This is where we are today in our design thinking, and have most (except DTLS) turned on right now in the alpha servers so we can test.
At a high level, domain server operators can request OAuth from people/agents accessing their virtual worlds, including various usage scopes for things like edit capabilities, importing and exporting of digital objects, and payments. The domain servers also present certificates which are used to verify their identity to accessing clients.
Comments requested and welcome on this detailed design.