First of all, I've decided to create a base specification called OInvite Core. This is what I'm referring to when I advertise "Draft 3". OInvite Core defines an XML based request/response document format to define the parameters surrounding an invitation. This core spec is meant to be a baseline for extension profiles of OInvite that can work appropriately under different situations. For example, there will be an HTTP profile of OInvite that specifies discovery and other aspects which work well for web applications. At the same time, I'm envisioning it might make sense to have a slightly different profile for XMPP, Google Wave, and posibbly something for regular email (heavy underline the "possibly" in that one).
OInvite Verification Extensions
The core spec provides a brief outline of the process a server should follow before prompting a user that a new invitation has been received. This is known as OInvite verification, but the exact details of how or what to verify are left to extensions to define.
You may notice that previous versions of OInvite had a Proof-of-Work scheme defined that worked to reduce and/or eliminate spam invitations. I'm still working to define this, but it will be in the form of an optional extension. Best of all, the core spec includes a way for servers to advertise any verification extensions in a programmatic way. Since these extensions are optional, individual implementors will have lots of freedom to experiment with the best verification mechanisms to protect from spam, verify senders & receivers, and ensure that every aspect of a particular OInvite has what it needs to work with a recipient's systems.
OInvite over HTTP
Next on my list is to create an HTTP profile of OInvite that relies on OpenID+WebFinger for authentication, XRD for discovery, and OAuth for authorization. This latter piece is going to be very interesting. It's starting to look like OInvite could be an automatic way for two users to exchange OAuth authorization tokens, which could open up some interesting new possibilities for private resource sharing across domains.
More to come!