I realize we have had a little bit of disagreement on what to call this. I am going to continue to call it "Trusts" as it is a subset of the set of mechanisms for delegation. I've wikified the Specification. Big thanks to David Chatwick for making this a much better spec. http://wiki.openstack.org/Keystone/Trusts Blueprint is still at https://blueprints.launchpad.net/keystone/+spec/trusts I will continue to work on this, to include, for example, how to specifiy duration and start times, but there should be enough here for people to understand. My initial write up: http://adam.younglogic.com/2012/10/preauthorization-in-keystone/