14:45:52 RRSAgent has joined #lws 14:45:56 logging to https://www.w3.org/2025/11/10-lws-irc 14:45:56 RRSAgent, make logs Public 14:45:57 please title this meeting ("meeting: ..."), laurens 14:46:13 meeting: Linked Web Storage WG - 2025-11-10 14:46:32 agenda: https://www.w3.org/events/meetings/a19ab7dc-1753-433d-bac5-64e3ad8c0a43/20251110T100000/ 14:46:33 clear agenda 14:46:33 agenda+ Introductions and announcements 14:46:33 agenda+ Storage Metadata 14:46:40 acoburn has joined #lws 14:46:40 chair: laurens 14:49:23 agenda+ Authentication 15:00:29 eBremer has joined #lws 15:01:30 ericP has joined #lws 15:01:51 gibsonf1 has joined #lws 15:01:52 present+ 15:01:57 present+ 15:02:34 present+ 15:03:21 ryey has joined #lws 15:05:10 scribe: laurens 15:05:36 chair: acoburn 15:06:09 gibsonf1 has joined #lws 15:06:10 acoburn: We have two items on the agenda today, the usual introduction & announcements and then our main focus will be storage metadata. 15:06:17 present+ 15:06:22 present+ 15:06:26 present+ 15:06:31 zakim, open agendum 1 15:06:31 agendum 1 -- Introductions and announcements -- taken up [from agendabot] 15:06:42 rrsagent, draft minutes 15:06:43 I have made the request to generate https://www.w3.org/2025/11/10-lws-minutes.html laurens 15:06:50 present+ 15:07:01 acoburn: Are there any announcements? 15:07:08 gibsonf1 has joined #lws 15:07:27 ryey: I'll be changing my affiliation, as I am leaving Oxford University. 15:08:03 acoburn: If you are no longer affiliated with a member, you could apply to be an invited expert. 15:08:20 gibsonf1 has joined #lws 15:08:36 ... I'll follow up with you on this. 15:08:45 zakim, open agendum 2 15:08:45 agendum 2 -- Storage Metadata -- taken up [from agendabot] 15:08:55 gibsonf1 has joined #lws 15:09:18 acoburn: Last week we talked about resource metadata 15:09:32 ... today we'll be talking about storage metadata. 15:09:48 ... This has a different role and characteristics. 15:10:05 ... We need to sort out what the role of storage metadata is. 15:10:13 ... Then we'll discuss the contents. 15:10:28 ... Therafter we'll talk about the discovery mechanism. 15:10:43 ... And finally, the serialization format of the metadata. 15:11:29 ... Both your storage and resources may point to the storage metadata. 15:11:46 ... It's a way of discovering the kinds of services one can interact with in the scope of a storage server. 15:12:01 ... There is some prior art for this in the Solid protocol. 15:12:21 https://solidproject.org/TR/protocol#storage-resource 15:12:49 ... It includes very few requirements on the contents of the storage description in the Solid protocol. 15:13:05 ... Also, it doesn't specify how it relates to authentication. 15:13:49 ... Other prior art, in the world of OAuth2 RFC8414 specifies a discovery mechanism for authorization server metadata 15:14:02 ... similar mechanisms exist in OIDC. 15:14:13 ... These are defined through the IANA well known registry. 15:14:25 https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml 15:14:51 ... So let's discuss what the role and scope of the storage metadata is. 15:15:10 ... I.e. is the scope a single storage, or is the scope an entire server. 15:15:20 q? 15:15:37 gibsonf10 has joined #lws 15:15:56 eBremer: A commercial service provider may offer additional services for paying customers. 15:16:14 ericP: They might just make a separate domain for that set of features. 15:16:36 acoburn: If you had a single storage on a single server, that would be a 1-to-1 mapping 15:16:46 ... a commercial provider may have multiple storages. 15:17:04 ... They may point to the same metadata or different metadata. 15:17:38 q+ to ask shouldn't we differenatiate between the server and the storage for metadata? 15:17:56 laurens: I think we should specify it such that we don't prevent either of both options. 15:18:10 ... However, it should not be an extension to the user's identity document. 15:18:13 q+ to ask about read-only or user-extension 15:18:13 ack next 15:18:14 gibsonf, you wanted to ask shouldn't we differenatiate between the server and the storage for metadata? 15:18:37 gibsonf1: We would want to differentiate between the server itself and the entire server. 15:18:52 ... There may be differences, they seem like separate items. 15:19:27 acoburn: One option here is that there might be metadata to describe the server, which could even go undefined, 15:19:35 ... and then there's this thing we call storage metadata. 15:20:16 gibsonf1: Let's say you include server metadata in the storage metadata 15:20:23 ... you would be repeating yourself over and over. 15:20:52 ack next 15:20:53 ryey, you wanted to ask about read-only or user-extension 15:20:58 acoburn: I think separating that might make a lot of sense. 15:21:06 ryey: I agree with what has been said roughly. 15:21:14 ... I want to ask about this read-only thing. 15:21:32 ... Will that prohibit the possibility of the storage owner through some extension mechanism? 15:21:59 ... Read-only would entail that the service provider would offer a capability to register this. 15:22:17 acoburn: We could require it is read-only, or just not say anything about it. 15:22:32 ... Through HTTP discovery the client could figure out it is read-only. 15:23:01 ... If it is writeable we should consider the risks of this. 15:23:35 ryey: Do we want a storage owner to restrict the available services? 15:23:47 q+ 15:23:55 ack next 15:23:57 scribe+ 15:24:32 laurens: also a different way to look at this (now that we have a distinction with server metadata): could be shared responsibility 15:24:43 ... between storage owner and service operator 15:24:59 ... might be better to leave read-only restriction out and let implementer decide 15:25:15 ... if this resource is writable, there are some tricky authZ issues 15:25:29 +1 laurens 15:25:30 ... I would leave out statements about read-only or writability 15:25:39 ... and leave that open to implementations 15:26:23 ... for user-managed capabilities, that could be listed in the root of a storage 15:26:26 q+ to ask about root vs storage 15:26:27 scribe- 15:26:33 ack next 15:26:34 gibsonf, you wanted to ask about root vs storage 15:27:10 gibsonf1: It might make sense not to add any additional role to the root of the storage (like in solid) 15:27:16 ... and just treat it as a regular container. 15:27:50 scribe+ 15:28:00 laurens: I agree, we need that distinction 15:28:02 scribe- 15:28:52 gibsonf1: This might be specific to our implementation (i.e. both storage and webids are hierarchical), but having the root container just be a regular container could simplify things. 15:29:41 acoburn: Let's recap the discussion. Each storage could have a distinct metadata document and they might be read-only but we wouldn't require it. 15:29:56 ... Let's now discuss the contents. 15:30:14 ... There may be specific capabilities and services described in the storage metadata. 15:30:39 ... For example, services could be a notifiication location, type index, access request, ... 15:30:48 q+ to ask about including root container location in storage metadata 15:30:57 ack next 15:30:57 ... And capabilities could be the trusted authorization server and supported access tokens or extensions. 15:30:58 gibsonf, you wanted to ask about including root container location in storage metadata 15:31:13 gibsonf1: It seems like this functions as a profile card? 15:31:26 acoburn: A profile card as I understand it is more for authn. 15:31:55 gibsonf1: It might be a good idea to have the root container location as well as the webid for the storage. 15:32:07 acoburn: There's some privacy considerations for that last part, but it could be. 15:32:33 q+ to respond to gibsonf1 15:32:56 ... The root container location makes a lot of sense to me. 15:33:20 ... There is some analogy to the issuer in the OpenID/Oauth metadata. 15:33:29 ... This avoids a "confused deputy" problem. 15:33:31 q+ 15:33:32 ack next 15:33:33 ryey, you wanted to respond to gibsonf1 15:33:58 ryey: I wanted to reply to gibsonf1 on the webid in the storage metadata. 15:34:11 ... I see a privacy issue there, as well as a situation with multiple "owners" of the storage. 15:34:33 acoburn: We could not specify this right now. 15:34:44 ... And leave this open to implementers. 15:34:54 ack next 15:34:58 scribe+ 15:35:21 laurens: we need some equivalent to an "issuer" claim in the storage metadata. The controller part is more vague 15:35:57 ... I wonder about whether the root is exposed, does that address the confused deputy problem? 15:36:17 ... if we include that field, then the storage metadata would need to be per-storage 15:36:40 ... there is good reason to include that field, but it might mean that this is a per-storage metadata 15:36:42 scribe- 15:36:47 scribe+ 15:36:59 rrsagent, draft minutes 15:37:00 I have made the request to generate https://www.w3.org/2025/11/10-lws-minutes.html laurens 15:37:47 acoburn: After this discussion, if we include the root container it would have to be a per storage metadata document. 15:38:19 ... Now let's move to discovery. 15:38:39 ... Oauth uses a .well-known URI for discovery. 15:39:00 ... This only works well at the domain level, for example at {UUID}.storage.example 15:39:29 ... This might be problematic if storages live at subpaths, e.g. storage.example/{UUID} 15:39:56 ... We could use link headers like in Solid, but this is hard if you don't have access to the storage. 15:40:36 ... Another option is to include it in the WWW-Authenticate header upon a 401 response code. 15:40:54 ... We could also do both the link header and the WWW-Authenticate header. 15:41:14 ... Finally, it could live in the user's CID document. 15:41:17 q+ 15:41:24 ack next 15:41:27 scribe+ 15:41:49 laurens: at first, I thought using a CID document, but that doesn't necessarily solve this 15:42:04 ... there could be documents in a storage for which the user isn't the controller 15:42:44 ... user's CID doc works for cases where the user controls the resource, but it's more complicated in other cases 15:43:04 ... openid uses a sub-path mechanism with .well-known 15:43:17 ... so we could potentially use that, but it would need to be explicit 15:43:22 scribe- 15:43:58 acoburn: We would want to be careful, because if we use .well-known we'll have to register with IANA. 15:44:06 ... OpenID tends to do its own thing. 15:44:40 q+ to ask why that's btter than just a Link header on 401s 15:44:51 ack next 15:44:52 ericP, you wanted to ask why that's btter than just a Link header on 401s 15:45:20 ... I am hearing consensus on this Link: <...>; rel="storageDescription and WWW-Authenticate: Bearer storageDescription="..." combination. 15:45:43 ericP: Even on a 401 you could still use this link header. 15:45:56 ... But some frameworks might prevent you. 15:46:20 acoburn: You don't typically see link headers on the 401 response code. 15:46:42 ericP: Most link headers are registered for the 200 status code, but nothing prevents you. 15:47:09 acoburn: In LDP there is the w3.org/ns/ldp#constrainedBy Link header on 4xx response codes. 15:47:57 present+ 15:48:03 ... We could have this link header be in the spec and explicitly require it be returned on a 401. 15:48:10 ... I like the consistency of this. 15:48:16 rrsagent, draft minutes 15:48:18 I have made the request to generate https://www.w3.org/2025/11/10-lws-minutes.html laurens 15:48:54 acoburn: When we get around to writing this down, let's use the link header as the starting point for discovery. 15:49:01 ... Now let's move on to the format. 15:49:31 ... In Solid the storage description is assumed to be RDF, but it is very loosely specified. 15:49:43 ... A JSON-LD with a particular frame might make most sense. 15:49:52 ... Or it could be arbitrary RDF. 15:49:57 q+ 15:50:03 +1 to any RDF format (as per accept) 15:50:04 ack next 15:50:07 q+ to i like the marketability of JSON-LD 15:50:35 ack next 15:50:35 laurens: At least require JSON-LD with some frame. 15:50:36 ericP, you wanted to i like the marketability of JSON-LD 15:50:51 ... Implementers could choose to do content negotiation. 15:51:00 s|https://solidproject.org/TR/protocol#storage-resource|... https://solidproject.org/TR/protocol#storage-resource 15:51:11 +1 laurens 15:51:14 s|https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml|...https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml 15:51:33 I have made the request to generate https://www.w3.org/2025/11/10-lws-minutes.html TallTed 15:51:49 acoburn: I think this is enough to start work on the storage metadata. 15:52:04 ... Next, we should focus on containers. 15:52:16 ... Containers are important, but they are underspecified in Solid. 15:52:27 ... This will probably take a few weeks. 15:52:47 ... Problems include pagination, format, user-managed metadata, ... 15:52:59 ... I would encourage everyone to start thinking about this. 15:53:12 ... This will be central to how applications interact with LWS storage. 15:53:27 ... Otherwise, I think we can wrap things up for this meeting. 15:53:58 ... We can close the meeting here. 15:54:19 RRSAgent, make minutes 15:54:20 I have made the request to generate https://www.w3.org/2025/11/10-lws-minutes.html acoburn 16:00:18 acoburn has left #lws