13:58:28 RRSAgent has joined #lws 13:58:32 logging to https://www.w3.org/2025/05/19-lws-irc 13:58:32 eBremer has joined #lws 13:58:32 Zakim has joined #lws 13:58:48 zakim, start meeting 13:58:48 RRSAgent, make logs Public 13:58:50 please title this meeting ("meeting: ..."), acoburn 13:58:55 meeting: Linked Web Storage 13:58:59 chair: acoburn 13:59:23 agenda: https://www.w3.org/events/meetings/a19ab7dc-1753-433d-bac5-64e3ad8c0a43/20250519T100000/#agenda 13:59:23 clear agenda 13:59:23 agenda+ Introductions and announcements 13:59:23 agenda+ Action Items 13:59:23 agenda+ Use Cases status summary 13:59:23 agenda+ Discussion: Authorization 13:59:52 present+ 14:00:02 RRSAgent, make minutes 14:00:03 I have made the request to generate https://www.w3.org/2025/05/19-lws-minutes.html acoburn 14:01:01 present+ 14:01:08 present+ 14:01:28 cpn has joined #lws 14:01:38 present+ 14:01:40 present+ 14:02:08 AZ has joined #lws 14:02:16 present+ 14:02:24 RN7 has joined #lws 14:02:24 Beau has joined #lws 14:02:47 bendm has joined #lws 14:02:50 ericP has joined #lws 14:02:52 present+ 14:03:00 present+ 14:04:00 Monsecom has joined #lws 14:05:26 scribe+ 14:05:40 scribenick: AZ 14:05:53 RazaN has joined #lws 14:05:54 acoburn: introductions & announcements 14:06:02 +1 14:06:32 Beau: work at technical institutes on social innovations 14:06:40 ... background in system integration 14:06:48 zakim, open agendum 1 14:06:48 agendum 1 -- Introductions and announcements -- taken up [from agendabot] 14:06:56 ... familiar with linked data 14:07:10 ... had work on the Solid spec 14:07:34 ... worked on the YYY project 14:08:00 acoburn: this experience will be useful for the group 14:08:51 ???: background as a data scientist 14:09:20 s/???/Monsecom 14:10:25 Will do 14:10:34 RazaN: I'm a postdoc recently joined AZ's group 14:10:47 ... will be using Solid in my research 14:10:53 ... Semantic Web background 14:11:21 acoburn: we talked about a possible face to face meeting 14:11:49 ... we are working on something maybe in the USA in October or November 14:12:26 I think its UK or EU (not USA) 14:12:34 i'm available 14:12:37 Beau and I work as developers at VITO (vito.be) , mainly in the We Are (https://we-are-health.be/en) project. 14:12:49 ... there will be a holiday soon in the US and we might skip the meeting 14:12:54 I will be available 14:13:15 I have a background in computer science 14:13:29 available 14:13:35 ... memorial holiday in the US and spring holiday in the UK 14:13:42 available 14:13:44 ... noboday seems to complain, so we can keep the meeting 14:13:54 s/noboday/nobody 14:14:17 @AZ on earlier note about meetup, not USA but UK or EU 14:14:19 zakim, open agendum 2 14:14:19 agendum 2 -- Action Items -- taken up [from agendabot] 14:15:01 acoburn: Hadrian is away today 14:15:09 zakim, open agendum 3 14:15:09 agendum 3 -- Use Cases status summary -- taken up [from agendabot] 14:15:15 ... let us jump to next agendum 14:15:44 ... there're 2 PRs open by Pierre Antoine 14:15:55 q+ 14:16:05 ... I think we should merge that 14:16:25 ack next 14:16:26 ... this is preventing us from publishing as a working draft 14:16:40 -> https://github.com/w3c/lws-ucs/pull/155 UC title 14:16:40 https://github.com/w3c/lws-ucs/pull/155 -> Pull Request 155 Add a "real" title to the document (by pchampin) 14:16:54 pchampin: I overlooked the fact that the title was wrong 14:17:14 uvdsl has joined #lws 14:17:29 ... which is what hold the publication bacl 14:17:33 s/bacl/back 14:17:57 acoburn: seeing no objection I'm going to merge 14:18:06 ... another PR open by Hadrian 14:18:23 ... it introduces new use cases with serialisation formats 14:18:44 ... BTW, this is a introductory list of UCs, no guarantee they will be in the final report 14:19:09 kaefer3000 has joined #lws 14:19:58 ... there are specific UCs 14:20:20 ... that were merged or closed 14:20:30 ... because they were part of consolidated UCs 14:21:09 ... in the published document, we want to have pointers to the GH issues and a trace where they come from 14:21:36 ... issue ucs #30 was closed 14:21:37 Issue 30 not found 14:23:00 ... issue #35 was closed too 14:23:00 Issue 35 not found 14:23:36 ... reminder: we can find the doc that we want to publish in Github and there is a loink to the final W3C location 14:24:09 ... issue #95, #111 were also closed 14:24:09 Issue 95 not found 14:24:09 Issue 111 not found 14:24:52 kaefer3000 has joined #lws 14:25:22 https://github.com/w3c/lws-ucs/pull/123 -> MERGED Pull Request 123 Updated glossary (by hzbarcea) 14:25:55 kaefer3000 has joined #lws 14:26:22 ... w3c/lws-ucs#112, w3c/lws-ucs#134 were closed/merged too 14:26:23 https://github.com/w3c/lws-ucs/issues/134 -> CLOSED Issue 134 [REQ-F] Adding, updating, deleting Resources in Storage (by hzbarcea) [review] 14:26:23 https://github.com/w3c/lws-ucs/issues/112 -> CLOSED Issue 112 [UC] Storage portability from a provider to another (by hzbarcea) [duplicate] [usecase] 14:26:37 q? 14:27:01 ... questions about these? 14:27:08 My GitHub account: https://github.com/beauvangemert1990 14:27:15 zakim, open agendum 4 14:27:15 agendum 4 -- Discussion: Authorization -- taken up [from agendabot] 14:27:43 acoburn: we started the conversation about authorization last week 14:27:46 present+ 14:28:20 ... we can talk high level what we want 14:28:36 ... not going into specific solution 14:28:55 ... there are several issues related to authorization 14:29:17 uvdsl has joined #lws 14:29:20 ... for instance w3c/lws-ucs#70 14:29:21 https://github.com/w3c/lws-ucs/issues/70 -> Issue 70 [UC] Discoverable Authorization Requirements (by termontwouter) [triage] [usecase] 14:29:46 ... another is w3c/lws-ucs#67 14:29:46 https://github.com/w3c/lws-ucs/issues/67 -> Issue 67 [UC] Processing-based Access and Usage Control (by termontwouter) [triage] [usecase] 14:30:00 ... this one is more about what was discussed last week 14:30:16 ... another is w3c/lws-ucs#66 14:30:17 https://github.com/w3c/lws-ucs/issues/66 -> Issue 66 [UC] Purpose-based Access and Usage Control (by termontwouter) [triage] [usecase] 14:30:17 dmitriz has joined #lws 14:30:38 ... and w3c/lws-ucs#65 14:30:39 https://github.com/w3c/lws-ucs/issues/65 -> Issue 65 [UC] Context-based Access and Usage Control (by termontwouter) [triage] [usecase] 14:31:11 ... and w3c/lws-ucs#63 14:31:12 https://github.com/w3c/lws-ucs/issues/63 -> Issue 63 [UC] Policy Management for Derived Resources (by termontwouter) [triage] [usecase] 14:31:38 q+ to ask what is a derived resource 14:31:44 ... and w3c/lws-ucs#61 14:31:44 https://github.com/w3c/lws-ucs/issues/61 -> Issue 61 [UC] Intuitive (Data Type-Based) Policy Management (by termontwouter) [triage] [usecase] 14:31:56 ack next 14:31:57 gibsonf, you wanted to ask what is a derived resource 14:32:20 gibsonf1 14:32:25 present+ 14:32:49 acoburn: the way I understand derived resource (63) is 14:33:26 ... say you have a set of fixed resources, and then a set of resources that derive from that 14:33:47 gibsonf1: if you had a request to ??? 14:34:07 ??? = derived resource 14:34:31 acoburn: it depend a lot on how resources are defined in some 14:35:10 s/???/a derived resource 14:35:47 question was: Wouldn't request to a derived resource be no different than a request to any resource with respect to authoriazation? 14:36:20 acoburn: other issue that's related is w3c/lws-ucs#60 14:36:21 https://github.com/w3c/lws-ucs/issues/60 -> Issue 60 [UC] Freedom of policy modelling language/mechanism (by termontwouter) [triage] [usecase] 14:36:48 ... the UC also introduces more complexity 14:36:58 ... yet another is w3c/lws-ucs#89 14:36:59 https://github.com/w3c/lws-ucs/issues/89 -> Issue 89 [UC] Share data with a (potentially large) community/group of people (by mrkvon) [triage] [usecase] 14:37:17 ... finally w3c/lws-ucs#64 14:37:18 https://github.com/w3c/lws-ucs/issues/64 -> Issue 64 [UC] Fine-Grained Control Over Resource Access (by termontwouter) [triage] [usecase] 14:37:50 ... Last thing I want to mention 14:37:50 what I find fascinating about these issues, is that they highlight the central tension in this WG. 14:38:08 ... 1 approach that is in Solid is that access control is internal 14:38:22 ... it's fairly constrained bu it's sinternal to the sercer 14:38:32 is our goal comprehensive documentation of use cases? (in which case, this is pretty great). Is our goal shipping a first iteration spec that we can build upon? In that case, most of these are _way_ too advanced / ambitious 14:38:37 ... 1 approach would be to handling this externally to the server 14:39:02 q+ to ask about what 'external to the server' means 14:39:03 ... e.g. defining what an access token would look like 14:39:12 q+ to weigh in on implentation effects 14:39:26 q? 14:39:30 uvdsl has joined #lws 14:39:31 ack next 14:39:32 pchampin, you wanted to ask about what 'external to the server' means 14:39:34 ... that would allow other kind of abilities 14:39:56 pchampin: not sure what you mean by external to the server 14:40:13 ... it could be that the server relies on an external server for access control mechanism 14:40:29 ... it may be an implementation detail not in scope for this group 14:40:46 ... could you clarify exactly what you mean, acoburn 14:41:05 acoburn: this has impact on what we do for the protocol 14:41:24 ... is the LWS protocol going to define what's in an identity token 14:41:30 q? 14:41:51 ... one approach would be to define a format of an access token 14:42:12 ... separately, you could define how you get access to the token 14:42:28 ... using a binding for lots of implementations 14:42:34 q? 14:42:35 q+ 14:42:36 ... that what I ment by external 14:42:39 ack next 14:42:40 gibsonf, you wanted to weigh in on implentation effects 14:43:25 gibsonf1: wtith RDF on the server we cash things 14:43:28 present+ 14:43:53 ... we use the authorisation with cashing mechanisms 14:44:04 q? 14:44:05 ... it may be very difficult to handle this at scale 14:44:10 ack next 14:45:07 uvdsl: can you be more specific wrt the scope of the protocol 14:45:28 acoburn: authorization is very much in scope of the protocol 14:45:38 ... but how we scope it? 14:45:57 ... are we going to scope it to a particular way of getting authorization? 14:46:03 q+ 14:46:35 i think "auth out of scope" means "auth *control* is out of scope", i.e. the mechanism for setting authorizations won't be portable between systems 14:46:39 ... if we define one thing, how we compare to another way 14:46:42 ack next 14:46:51 q+ to ask what are the things WAC just cant do? 14:47:24 uvdsl: there are 2 questions, do we choose a specific policy solution? 14:48:25 ... and if the authorization server and the resource server are distinct, what alternative to them being coupled ? 14:48:55 ... I am thinking at how it work with Solid and how this is handled in different ways 14:49:26 acoburn: the 2 entities could coexist may do not necesssarily have to 14:49:32 ack next 14:49:33 gibsonf, you wanted to ask what are the things WAC just cant do? 14:49:54 gibsonf1: you may want to couple the 2 if in your pod some data is used for authorization 14:50:13 ... if decoupled, it would be more difficult to understand what's going on in the pod 14:50:51 ... what WAC cannot do that other protocols can do? 14:51:03 q+ 14:51:21 acoburn: one answer is WAC can do anything you want 14:51:28 ... but maybe undermining interoperability 14:51:44 ... it cannot do time based access control 14:51:50 ... on its own 14:51:56 q+ 14:51:59 q+ 14:52:03 ... so you need something on top that's not interoperable 14:52:16 ... or you can't do consent based access by itself 14:52:45 ... also with 1000000 of users, 14:52:54 ... things start to slow down much 14:53:08 q+ to mention interaction between monotonicity and unintended data exposure 14:53:13 ... from the top of my head, and then more things 14:53:37 q? 14:54:20 Beau: you could have something like one emply puts the WebId and that works for the whole company employees 14:54:53 acoburn: imagine you need the doctor to access one's health data 14:55:01 ... the doctor could delegate access 14:55:22 ... but the others cannot delegate again 14:55:26 q? 14:55:34 ack next 14:56:21 s/Beau: you could/gibsonf1: you could/ 14:56:24 Beau: we talked about WAC and access control policy 14:57:23 ... WAC can define groups and user agents but cannot define fine grained policies 14:57:28 q? 14:57:32 ... you can do it with a policy language 14:57:51 https://solid.github.io/authorization-panel/acp-specification/ 14:57:52 kaefer3000 has joined #lws 14:58:01 ... Solid can use ACP instead of WAC 14:58:05 ack next 14:58:08 q- 14:58:17 acoburn: and there are things ACP can't do and WAC can 14:58:17 q- 14:58:42 uvdsl: these conversations about WAC can and can't do happened already in the Solid CG 14:59:09 ... in fact some things re. ACP are not done by ACP per se but by Inrupt's implementation 14:59:28 acoburn: having a particular policy language is one appraoch 14:59:38 ... there are other appraoches 14:59:51 ... what are the tradeoffs of all the appraoches 14:59:58 To add what I wanted to raise for the protocol: If we acknowledge that WAC is incomplete, why are we not considering to extend/modfiy WAC? 15:00:14 RRSAgent, make minutes 15:00:15 I have made the request to generate https://www.w3.org/2025/05/19-lws-minutes.html pchampin 15:00:38 ericP has left #lws 15:01:18 https://www.w3.org/ns/solid/acp 15:13:43 acoburn has left #lws 16:14:09 dmitriz has joined #lws