I'm pulling this outta my rear end, but how about:
(1) Enabling & security mechanism: The HTTP server, in addition to
specifying which directories/files in the filesystem can be
obtained by an outside client, also specifies which
directories/files can be annotated.
(2) Annotation mechanism: HTTP gets a mechanism by which a remote
browser can add a link to the currently viewed document. The user
would be allowed to specify the representation (label) for the
link and the HREF field of the link; if the HTTP server permits
(see 1), the link will be added to the end of the current
document. This would be the only form of annotation allowed (no
adding text to an existing document, etc.)
(3) Annotation location in the web: The presumption is that the user
adding the annotation can place the annotation (as a document) on
her local machine and make it accessible via http (or, I suppose,
(a) Fairly easy to implement and fairly seamless to integrate into
(b) Lightweight in terms of additions to existing documents; since
only a link can be added, security and document integrity is
preserved for everyone involved.
(a) Anyone who wishes to annotate a document must be running HTTP or
have some other way of making his annotation available as a
document from his machine to the web -- possibly too much grunge
work for real ``users'' as opposed to hackers.
But it would be a start....