13:38:20 RRSAgent has joined #lws 13:38:24 logging to https://www.w3.org/2025/07/28-lws-irc 13:38:24 Zakim has joined #lws 13:38:30 I have made the request to generate https://www.w3.org/2025/07/28-lws-minutes.html TallTed 13:39:13 agenda: https://www.w3.org/events/meetings/a19ab7dc-1753-433d-bac5-64e3ad8c0a43/20250728T100000/ 13:39:13 clear agenda 13:39:13 agenda+ Introductions and announcements 13:39:13 agenda+ Action Items 13:39:13 agenda+ Continued clarification of requirements 13:39:37 TallTed has changed the topic to: Linked Web Storage Meeting 2025-07-28 -- Agenda: https://www.w3.org/events/meetings/a19ab7dc-1753-433d-bac5-64e3ad8c0a43/20250728T100000/ 13:40:23 previous meeting: https://www.w3.org/2025/07/21-lws-minutes.html 13:40:23 next meeting: https://www.w3.org/2025/08/04-lws-minutes.html 13:44:40 acoburn has joined #lws 13:58:32 zakim, start meeting 13:58:32 RRSAgent, make logs Public 13:58:34 please title this meeting ("meeting: ..."), acoburn 13:58:37 meeting: Linked Web Storage 13:58:40 chair: acoburn 13:58:46 agenda? 13:58:47 I have made the request to generate https://www.w3.org/2025/07/28-lws-minutes.html TallTed 13:59:00 gibsonf1 has joined #lws 13:59:30 thanks, TallTed 14:01:05 present+ 14:01:41 eBremer has joined #lws 14:01:43 present+ 14:01:44 ericP has joined #lws 14:01:51 present+ 14:01:56 present+ 14:02:05 I have made the request to generate https://www.w3.org/2025/07/28-lws-minutes.html TallTed 14:02:11 bendm has joined #lws 14:02:11 present+ 14:02:15 present+ 14:02:24 present hadrian 14:02:33 RRSAgent, draft minutes 14:02:35 I have made the request to generate https://www.w3.org/2025/07/28-lws-minutes.html acoburn 14:02:50 scribenick: bendm 14:03:01 s/present hadrian/present+ hadrian/ 14:03:18 kaefer3000 has joined #lws 14:03:19 RazaN has joined #lws 14:03:24 present+ 14:03:25 I have made the request to generate https://www.w3.org/2025/07/28-lws-minutes.html TallTed 14:03:44 jeswr has joined #lws 14:03:59 zakim, open agendum 1 14:03:59 agendum 1 -- Introductions and announcements -- taken up [from agendabot] 14:04:17 present+ 14:04:26 present+ 14:04:29 acoburn: any announcements? 14:04:50 ryey has joined #lws 14:04:50 (crickets) 14:04:54 present+ 14:04:59 zakim, open agendum 2 14:04:59 agendum 2 -- Action Items -- taken up [from agendabot] 14:05:13 acoburn: previous hour, chairs and editors were chatting 14:05:22 ... we went through the open issues 14:05:22 ... 14:05:30 ... pending pull requests have been merged 14:05:39 ... we're moving these PRs through 14:05:50 ... to make the repositories more manageable 14:06:05 ... any other open action items before we go to agendum 3? 14:06:22 ... there was some open tasks on clarifying use cases and requirements 14:06:38 zakim, open agendum 3 14:06:38 agendum 3 -- Continued clarification of requirements -- taken up [from agendabot] 14:06:40 dmitriz has joined #lws 14:07:13 acoburn: we started with 44 reqs 14:07:17 ... we now have 41, that's good subtopic: -> https://www.w3.org/TR/2025/DNOTE-lws-ucs-20250728/#dfn-service-integration-authentication Requirement Service integration authentication 14:07:27 ... we're at #29 14:07:41 ... we're basically halfway there 14:07:53 uvdsl has joined #lws 14:08:34 jesswr: to get to something more workable, to a wide range of stakeholders, I propose we start next week forward from one part of the spec, and bring that tot the stakeholders 14:08:48 ... reasonable place to start is personal cloud storage 14:08:58 ... I started to reach out to stakeholders 14:09:35 ... to see who the right other group to engage with are 14:10:04 ... my proposal: next week, focus on access grant and access control, starting from user interfaces (?) 14:10:08 eBremer has joined #lws 14:10:16 present+ 14:10:25 ... today, finish on prioritization 14:10:52 I think it might be most helpful for this group to specifically focus on the _data model_ of the access control and grant requests. 14:11:11 because the protocols for those are already decently defined (like IETF's GNAP, w3c's VP Request, etc) 14:11:42 acoburn: 29 items to get through is a lot for today, we should go through as much as possible 14:11:53 ... we want to set up jesse and eric to move on the actual protocol work 14:12:06 ... #29 service integration authentication 14:12:23 ... a lot on browser level, this is about auth for everything else 14:12:32 ... bots, server-to-server, scripts 14:13:08 q+ to ask, would definitely like this one in scope 14:13:15 ... (not issue 29, but requirement 29) 14:13:42 jesswr: I suggest to reframe this as serverside authentication, not have requirements for specific authentication 14:13:45 ack next 14:13:46 gibsonf, you wanted to ask, would definitely like this one in scope 14:13:59 gibsonf1: it would be great to have guidance on this, to have interop between servers 14:14:02 q+ 14:14:12 acoburn: we don't want to invent a new protocol here, but reuse existing 14:14:13 ack next 14:14:44 tallted: the title is unclear for me, phrasing should be better 14:14:48 acoburn: I agree 14:15:13 the good news with this one is that it's a fairly solved space - mtls and http signatures. 14:15:15 eBremer: I have a PR open 14:15:28 subtopic: -> https://www.w3.org/TR/2025/DNOTE-lws-ucs-20250728/#dfn-protocol-binding-independence Requirement Protocol binding independence 14:15:28 acoburn: req 28: protocol binding independence 14:15:56 jeswr has joined #lws 14:16:10 +1 out of scope 14:16:15 ... I suspect this is out of scope of this, but in scope of a separate layer that uses LWS 14:16:19 +1 out of scope 14:16:22 +1 14:16:34 +1 14:16:39 ... folks are broadly in consensus of that 14:16:52 perhaps "Loose Coupling of Underlying Protocols" 14:16:52 subtopic: -> https://www.w3.org/TR/2025/DNOTE-lws-ucs-20250728/#dfn-trusted-identity-providers Requirement Trusted identity providers 14:16:52 ... req 27 Trusted Identity Providers 14:16:59 ... this is about a governance model 14:17:13 ... I suspect many deployments will have this 14:17:35 .... e.g. I have service Y, IdP Z is not allowed by Y 14:17:39 27 seems out of scope for the spec. 14:17:47 +1 to leaving it to implementations. 14:17:48 q+ 14:17:51 ... suspect implementations will do this any way, and we don't need to specify everything about this 14:17:55 ack next 14:18:12 q+ 14:18:17 q+ to note that trust is a moving target 14:18:17 jeswr: governance is a huge challenge by a lot of different people, also outside Solid, so for me, completely out of scope (although very useful) 14:18:18 ack next 14:18:26 q+ 14:18:53 uvdsl: I would this req 27 as follows: not about defining trust, but the requirement to support the definition of trusted identity providers 14:19:02 ... i.e. restricting IdPs is possible at all 14:19:29 q- 14:19:38 also Identity Providers is both a vague term, and specific to individual authentication methods. 14:19:44 +1 for uvdsl 14:19:48 acoburn: so, there needs to be a mechanism to limit the scope of systems that it trusts? 14:20:03 for example, in Server to Server authentication, who is the identity provider? etc. 14:20:15 uvdsl: exact, otherwise a governance model is not possible at all, so that we technically provide the option to do it 14:20:24 q+ 14:20:28 q+ to ask about how an identity provider would not be trusted if identiny protocol used is sound 14:20:29 acoburn: enterprise and commercially, that will happen regardless 14:20:31 ack next 14:20:32 TallTed, you wanted to note that trust is a moving target 14:20:33 q+ 14:20:49 tallted: 'that will happen regardless' is a dangerous phrasing 14:21:00 ... trust is a moving target, changes over time 14:21:28 ... e.g. certificate structure: root certificate compromised required a lot of reconfiguration 14:21:48 ... at some point, you need to be able to say 'do not trust anything from this location' 14:22:04 ack next 14:22:05 ... the spec should give a way to administrators to do that 14:22:17 ryey: I agree with Ted and Christoph 14:22:36 ... my comment: who should be able to configure that? 14:23:01 acoburn: relates to layers of trust: trust at the level of the pod owner is different from the level of an operator 14:23:04 q? 14:23:08 ack next 14:23:09 gibsonf, you wanted to ask about how an identity provider would not be trusted if identiny protocol used is sound 14:23:09 ... if we go into this issue, we need to consider all layers 14:23:31 gibsonf: This could easily be abused 14:23:32 ... 14:23:50 ... ideally, the IdP spec is so good that we could trust everyone, but these things could be circumvented 14:23:51 ack next 14:24:02 dmitriz: I don't think this item makes sense 14:24:18 ... IdP is only relevant in OpenID-Connect 14:24:28 ... in other specs, there's no such notion 14:24:38 ... this req presumes a specific authentication method 14:24:47 ... so I think this should be out of scope 14:24:50 q+ to say that IdP is a term of use in current SWICG discussion of FedID and related (i.e., it's not just in OpenID) 14:24:58 ack next 14:24:59 TallTed, you wanted to say that IdP is a term of use in current SWICG discussion of FedID and related (i.e., it's not just in OpenID) 14:25:13 tallted: IdP is a term of use in current SWICG discussion of FedID and related (i.e., it's not just in OpenID) 14:25:27 ... it makes a lot of sense to have 'an identity provider' 14:25:37 q+ to say that IDP may be just another term for issuer of VCs. 14:25:50 dmitriz: It happens that FedID also comes from the context of OpenID 14:25:57 q- 14:25:59 tallted: FedID is broader than OpenID 14:26:33 acoburn: maybe we can rename this? to 'trusted identity mechanisms'? something more generic 14:26:47 subtopic: Requirements -> https://www.w3.org/TR/2025/DNOTE-lws-ucs-20250728/#dfn-modern-authentication-methods "Modern authentication methods" & -> https://www.w3.org/TR/2025/DNOTE-lws-ucs-20250728/#dfn-user-centric-identity-management "User-centric identity management" 14:26:47 ... req 26: modern authentication methods 14:26:56 q+ 14:27:02 ack next 14:27:03 ... this is even more related to OIDC 14:27:32 so the challenge with this list, is that we're grouping together requirements for at least 3 specs (possibly more). 1) authentication spec, 2) authorization/access control, and 3) read/write protocol 14:27:34 jeswr: 26 assumes centralized identity mechanisms, 25 says we should also support self-souvereign identity mechanisms 14:27:40 links please? 14:28:01 at _very_ least, we should tag which specs the requirement belongs to 14:28:01 ... suggestions: support more types of authentication mechanisms, without specifying what form in the requirement 14:28:15 acoburn: grouping 25 and 26 makes sense 14:28:17 s/self-souvereign/self-sovereign 14:29:03 oh, you don't mean "merge PR #"; you mean "combine requirements # and #" (I still want links) *and titles* 14:29:04 ... there's a similar req that has sub-options, so we could talk about the 'authentication requirement' and have centralized/self-sovereign/... options 14:29:12 q? 14:29:13 q+ 14:29:22 ebremer: will try to do a PR in the background to merge 14:29:39 ack next 14:30:32 tallted: let's use titles and ids 14:31:00 acoburn: yes, respec is using a consistent numbering, but we shouldn't refer to the numbers subtopic: -> https://www.w3.org/TR/2025/DNOTE-lws-ucs-20250728/#dfn-legal-basis-enforcement Requirement Legal basis enforcement 14:31:13 ... that said, now, we're talking about 'Legal Basis Enforcement' 14:32:01 q+ 14:32:04 ... tag access rules with legal grounds (e.g. GDPR) 14:32:06 ack next 14:32:26 jeswr: sounds like out of scope for LWS, since we see usage control out of scope 14:32:31 +1 for jesse 14:32:32 q+ 14:32:36 ack next 14:32:58 q+ 14:33:03 ryey: I agree with Jesse, and - there might be different ways to specify this, not mature yet, so hard to do at this stage 14:33:08 ack next 14:33:48 dmitriz: it seems like we're dealing with different specs: authentication, authorization, ReadWrite protocol 14:34:01 ... can we tag/group requirements? 14:34:13 acoburn: that's a great a suggestion 14:34:39 ... would that help the editors? does it make sense to do? 14:34:58 jeswr: it makes sense, Erich and I could do that asynchronously subtopic: -> https://www.w3.org/TR/2025/DNOTE-lws-ucs-20250728/#dfn-consent-based-data-sharing Requirement Consent-based data sharing 14:35:08 acoburn: let's move to 'consent-based data sharing' 14:35:16 ... this is a little bit different than access control 14:35:25 ... WAC/ACP just gives access 14:35:48 ... consent-based model involves explicit interactions, usually has purpose and receipts, and is revokable 14:35:56 q+ 14:36:03 ack next 14:36:45 uvdsl: I want to highlight there are two parts: (i) having the ability to give consent, and (ii) being able to verify the consent 14:36:52 change "duration" to (or add option for) "start/end datetime" 14:36:54 ... you can support the former without the latter 14:36:57 q+ 14:37:15 q+ 14:37:28 ack next 14:37:34 ... the first is like the cookie banner, the second is about cryptographic verification 14:37:44 ebremer: I thought we discussed something about logging last time? 14:38:09 q+ 14:38:10 ... that we discussed that it wasn't in scope? 14:38:13 q- 14:38:30 ucdsl - I haven't forgotten. I will be adding it as a linked glossary term to define it as cryptographic 14:38:35 acoburn: did you mean 'Auditable Trail?' it was merged with one in the thirties 14:38:46 s/ucdsl/uvdsl 14:38:53 q+ to ask difference between explicitly having the notion of "consent" vs using inbox and then an app to handle it 14:39:00 eBremer, no worries :) just wanted to highlight it to the group as well! 14:39:12 uvdsl, absolutely! :-) 14:39:13 q? 14:39:27 kaefer3000: so the second part of 'consent-based data sharing' is actually a point of current req 9 14:39:27 ack next 14:40:04 tallted: 'duration' is a broad term, but usually you mean start datetime / end datetime 14:40:20 ... the way these are being edited right now makes it hard to keep track of all terminology 14:41:10 q? 14:41:13 ... caution: I suggest to just put things together, and do editing later 14:41:15 ack next 14:41:16 ryey, you wanted to ask difference between explicitly having the notion of "consent" vs using inbox and then an app to handle it 14:41:57 q+ 14:41:57 ryey: how is consent different from this being a message to an inbox and a consent handling app? 14:42:11 ... is there a need for a different concept? 14:42:31 ack next 14:42:34 acoburn: so, would this happen at a different layer than LWS? 14:43:01 uvdsl: I think I agree with Aaron, at ryey: inbox is _an_ implementation 14:43:50 q+ to say that conflating data interactions with authentication/authorization interactions (i.e. conflating them in the same level) was a bad thing in our dev experience 14:44:03 acoburn: this is basically about interoperability 14:44:07 "consent" is a loaded term. "permission to see, read, update, delete" are better. 14:44:10 ... so something to debate 14:44:15 ack next 14:44:16 bendm, you wanted to say that conflating data interactions with authentication/authorization interactions (i.e. conflating them in the same level) was a bad thing in our dev 14:44:16 ... experience 14:44:25 q+ 14:44:44 scribe+ 14:44:47 bendm: to say that conflating data interactions with authentication/authorization interactions (i.e. conflating them in the same level) was a bad thing in our dev experience 14:44:58 q+ 14:44:58 bendm: putting this into the storage layer can add complexities 14:45:03 q? 14:45:06 ack next 14:45:08 scribe- 14:45:25 tallted: "consent" is a loaded term. it has legal things making it problematic, "permission to see, read, update, delete" are better. 14:45:52 q? 14:45:56 ack next 14:46:06 acoburn: access grants and permissions are going to be a better terminology 14:46:32 kaefer3000: I agree that part of consent should be part of another layer, but I wonder what is the minimum needed in the protocol to handle that 14:46:52 ... the question is: how do we facilitate the discovery of the resource that such requests should be sent to? 14:47:04 ... and so that consent modeling is not part of the spec 14:47:24 ... so can we specify a small thing to facilitate the rest subtopic: -> https://www.w3.org/TR/2025/DNOTE-lws-ucs-20250728/#dfn-data-integrity-verification Requirement Data integrity verification 14:47:41 acoburn: next: "Data Integrity Verification" 14:47:50 ... there are a number of IETF specifications to address this 14:48:00 ... maybe we can just point people to best practice references? 14:48:14 ... eg message signatures 14:48:36 q+ 14:48:37 q+ 14:48:41 ... basically: hash or signature-based mechanisms 14:48:43 ack next 14:48:44 there's always TLS 14:49:00 tallted: appropriate mechanism is going to vary with the data, how it's stored, how it's accessed 14:49:20 ... i.e. encrypted at rest, in transit, etc., will impact the mechanism 14:49:40 q- 14:49:40 bengo has joined #lws 14:49:52 present+ 14:49:55 q+ 14:50:02 present+ 14:50:04 ... we probably don't have to reinvent the wheel, we should need more loose coupling 14:50:40 bengo: this is an important UC for our work, specifically on the write side 14:51:10 ... what's not as obvious, is how a reader can later on know later on what the digest of the writer was 14:51:35 q+ to ask what the specific use cases are for Data Integrity Verification 14:51:37 ... I'd like to have affordances on how a server must preserve a digest, so a reader can have assurance 14:51:43 ack next 14:51:52 ack next 14:51:53 uvdsl, you wanted to ask what the specific use cases are for Data Integrity Verification 14:52:24 uvdsl: what are the specific use cases for Data Integrity Verification? 14:52:47 bengo: a lot is about activitypub data in and LWS server 14:53:12 ... eg if I put photos in my LWS, how can I be sure that the server isn't tampering with it? 14:53:46 ... eg news publishing: what is read from the server is guaranteed to be what was put by the writer, independent of the lws server 14:53:47 q+ 14:53:51 creator has to sign everything ... with reliable tools ... and write with reliable tools ... etc. 14:53:51 q- 14:54:38 q+ 14:54:39 ... another one is about the referent of your DID document: it would be a big deal if a service provider could add their public key to your verification methods 14:54:49 "This is my descriptor document, which I have signed with my private key, and which contains my public key.." 14:54:54 ack next 14:55:10 uvdsl: what are the mechanisms that you need in the server? 14:55:11 q+ 14:55:21 ... compared to what the application would need to do 14:55:47 ... i.e. if the storage server has no access to my private key, isn't it solved? 14:56:10 ack next 14:56:27 dmitriz: just want to add: yes, some of this can be handled on http requet level, some on data model and application level 14:56:35 ... there's a bit that LWS must handle 14:57:15 ... eg if I'm reading and writing JSON document, I can use JWS to sign, we have the digest header to make sure that the http request is handled correctly 14:57:22 ... what we need on LWS level: 14:57:34 ... non-text, non-structured data documents 14:57:44 ... e.g. JPG 14:58:05 ... these not have native support for provenance or don't have digest spec 14:58:07 I'd also answer: we need some assurances from the LWS spec/server that the server SHOULD or MUST actually persist and then offer reads for the Digest, not just throw it away or tamper with it after the application/client writes it. 14:58:13 ... eg via a link to an auxiliary resource 14:58:21 q+ to ask (AOB) if there was follow up on the f2f scheduling, which was part of last week's discussion 14:58:48 acoburn: concerning the F2F scheduling: there's no news yet 14:59:07 @bengo: +1, yeah 14:59:07 https://github.com/bengo -> @bengo 14:59:11 ... adjourning, have a good week! 14:59:34 I have made the request to generate https://www.w3.org/2025/07/28-lws-minutes.html TallTed 14:59:40 gb haha ya https://bengo.is/ https://mastodon.social/@bengo 14:59:40 @gb - I think that's the wrong bengo 14:59:40 https://github.com/gb -> @gb 15:00:04 RRSAgent, make minutes 15:00:06 I have made the request to generate https://www.w3.org/2025/07/28-lws-minutes.html acoburn 15:00:29 s/thanks, TallTed// 15:00:37 RRSAgent, make minutes 15:00:39 I have made the request to generate https://www.w3.org/2025/07/28-lws-minutes.html acoburn 15:01:30 present+ dmitriz 15:01:42 present+ gibsonf 15:01:55 RRSAgent, make minutes 15:01:57 I have made the request to generate https://www.w3.org/2025/07/28-lws-minutes.html acoburn 15:02:29 s/jesswr/jeswr/ 15:02:45 s/jesswr/jeswr/ 15:02:50 RRSAgent, make minutes 15:02:52 I have made the request to generate https://www.w3.org/2025/07/28-lws-minutes.html acoburn 15:04:29 acoburn has left #lws 23:10:50 dmitriz has joined #lws