08:11:44 RRSAgent has joined #lws 08:11:48 logging to https://www.w3.org/2026/04/27-lws-irc 08:12:28 acoburn has changed the topic to: Linked Web Storage WG - 2026-04-27 - https://www.w3.org/events/meetings/fed3ebd2-1330-4853-8ec4-12442c47e32c/ 08:12:44 zakim, start meeting 08:12:44 RRSAgent, make logs Public 08:12:46 please title this meeting ("meeting: ..."), acoburn 08:13:07 agenda: https://www.w3.org/events/meetings/fed3ebd2-1330-4853-8ec4-12442c47e32c/#agenda 08:13:09 acoburn, sorry, I did not recognize any agenda in https://www.w3.org/events/meetings/fed3ebd2-1330-4853-8ec4-12442c47e32c/#agenda 08:13:32 zakim, open agendum 1 08:13:32 agendum 1 -- Introduction and announcements -- taken up [from agendabot] 08:13:36 termon has joined #lws 08:13:37 termon has left #lws 08:13:42 present+ 08:13:57 termontwouter has joined #lws 08:14:40 rrsagent, make minutes 08:14:42 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html acoburn 08:14:50 present+ 08:14:54 present+ termontwouter 08:15:01 present+ jeswr 08:16:40 ryey has joined #lws 08:16:46 present+ 08:16:47 eBremer has joined #lws 08:16:55 present+ 08:17:04 uvdsl has joined #lws 08:17:43 jeremycaine has joined #lws 08:18:11 bendm has joined #lws 08:18:17 present+ 08:18:51 acoburn has joined #lws 08:27:49 present+ 08:29:07 rrsagent, make minutes 08:29:08 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html acoburn 08:30:25 jeswr1 has joined #lws 08:32:31 elf-pavlik has joined #lws 08:32:47 present+ 08:32:57 rrsagent, make minutes 08:32:58 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html acoburn 08:33:29 present+ 08:33:45 scribenick: jeswr 08:34:01 elf-pavlik0 has joined #lws 08:34:55 acoburn: I would like to propose that we do not change our scope 08:35:52 termontwouter: Lets not widen, but lets clarify the scope as there is consistently debate 08:36:27 ... this may resolve ongoing discussions around containers and query 08:36:32 Charter -> https://www.w3.org/2024/09/linked-web-storage-wg-charter.html 08:37:19 laurens: Agree, lets expand out of scope section 08:37:42 ... one aspect I want out of scope is access control 08:38:10 ... in-scope I want to brush up the UC&R documents and reference that in the re-chartering 08:38:42 eBremer: I agree with all that has been said. Something new would have to be critical. 08:39:14 elf-pavlik has joined #lws 08:39:28 ... Can we have a plan for the future (what is in 1.1, 1.2) 08:39:34 q+ 08:39:43 acoburn: What we need in 1.0 is publication of a TR document 08:40:33 ... For a 2 year re-charter. Year 1 is to publish that TR document. Year 2 is the maintenance mode, and getting two implementations of every feature. 08:41:34 ... working backwards. CR status by September. Then 1 year for TR, 1 year for maintenance. 08:42:33 jeswr: If access control is out-of-scope, does that mean we cannot then define it until a 1.1 2 years down the track 08:43:27 laurens: When we go in maintenance mode, that does not mean we stop work on a new version of LWS. We can prepare for a 1.1 or 2.0, including work on a re-chartering during a maintenance mode. 08:43:29 q+ to talk about incubation 08:43:54 elf-pavlik: Is that a new charter or re-charter 08:44:05 laurens: It depends. VC did a re-charter for 2.0. 08:44:54 ack next 08:45:22 jeremycaine: Lets have a diagram showing access control implemented by an external service to 1.0, and then in scope for 1.1 08:45:39 elf-pavlik: Is threat modelling in scope for 1.0 08:46:08 laurens: Yes. However, we lack volunteers willing to work on this. 08:47:24 eBremer: Can we have a rough overview of the next 5 years. Does not need to be detailed plan. 08:47:33 ack next 08:47:34 acoburn, you wanted to talk about incubation 08:47:43 laurens: Yes we can 08:48:43 acoburn: Adding to what is out of scope for 1.0, leaving things like access control out of scope is ok. These can be incubated outside LWS, e.g., working with the Solid CG. 08:49:25 ... So let's define the core boundaries in a clear and compelling way 08:49:36 q+ to talk about the role of the Solid CG 08:50:05 q+ to talk about supporting role of ODI 08:51:09 uvdsl: I agree with what has been said of clear scoping. I share the concern of not shooting ourselves in the foot. To be clear, the re-chartering is for 1 year? 08:51:21 ack laurens 08:51:21 laurens, you wanted to talk about the role of the Solid CG 08:51:30 acoburn: Yes. The goal is to get to 1.0 1 year after the current charter ends. 08:51:36 q+ to ask about scope about recharter (esp. optional items such as access control) 08:52:22 laurens: We should more clearly define the role of CG's in the incubation process. There are interesting issues that have been raised that are out-of-scope for the WG. I do see a role for CG's like the Solid CG to have a more clearly defined incubation pipeline 08:52:29 acoburn has joined #lws 08:52:33 q+ to suggest prioritized list of items in scope 08:52:34 ... we still need to define what such a pipeline would look like 08:53:02 jeswr: ODI can support this. At the moment we're setting up Solid26 08:53:13 ... as an implementers guide to the Solid specification. 08:53:24 ... ODI is helping to develop a feedback model. 08:53:37 ... That feedback can be triaged and fed into CG, WG, ... 08:54:18 q? 08:54:19 ... Some of the enterprise-oriented feedback might feed into e.g. Inrupt, IBM, OpenLink, Trinpod, ... 08:54:37 ... This would help the adoption of the technologies. 08:54:48 ack next 08:54:49 jeswr, you wanted to talk about supporting role of ODI 08:54:59 ack next 08:55:00 ryey, you wanted to ask about scope about recharter (esp. optional items such as access control) 08:56:05 ryey: What are we allowed to do in a re-charter. Can we keep rechartering through to an LWS 1.5 08:56:30 acoburn: An administrative re-charter should have no change in scope. A full re-charter can be whatever we like subject to AC approval. 08:56:57 ... There are therefore two things to consider. What we want as a group, and what we think will get approval. 08:57:32 ryey: Is the proposal that we do not define access control in 1.0 08:57:45 acoburn: Yes, that is what laurens suggested 08:58:21 q+ question about external acl specification 08:58:31 ryey: If we lack acl, will people think LWS is not mature 08:58:37 eBremer has joined #lws 08:58:42 present+ 08:59:07 q+ to ask about external acl specification 08:59:09 laurens: There are two aspects to this: 1) defining a language for requesting changes to access 2) how these access controls are materialised and stored 08:59:50 ... we have now left open the higher abstraction of how we interact with access control rules, but we do not define the access control rules 09:00:06 ... for 1.0 I would avoid the complexity of defining access control rules 09:00:41 acoburn: In the Solid CG we found access control to be a contentious topic. I worry that it will consume all our time if we bring it in scope. 09:00:50 ryey: I agree. 09:01:25 ... Is there a practise of showing recommended implementations? 09:02:17 acoburn: Implementation reports can describe what implementations support 09:02:43 q+ to ask about scoping of authentication 09:02:45 ... with a matrix of features and implementations 09:03:33 q? 09:03:41 ack next 09:03:42 elf-pavlik, you wanted to suggest prioritized list of items in scope 09:04:31 elf-pavlik: Reflecting on Solid26, it was a very short time frame. This group also has a limited time frame, it would be healthy to track what is required to implement and what is optional to implement. 09:05:00 ... as we also need implementations and test suites. Not just the spec document. 09:05:41 laurens: We have the notion of tentative deliverables. The FedID group did this. 09:06:51 acoburn: Yes, and so lets clarify whats in and out. Currently Access Requests, Notifications, Containers, Terminology, Type Index, and Metadata 09:07:02 ... are on the table in the group 09:07:53 bendm: Do we have a full picture of how mature and what the features of these are 09:08:47 acoburn: The table of contents of https://w3c.github.io/lws-protocol/lws10-core/ gives this 09:09:39 ... authentication and authorisation: says oauth is baseline and you can do other things 09:09:56 ... discovery: Storage description document 09:10:42 laurens: We then have access requests & grants, notifications and type indexes 09:10:56 ... currently access requests & grants require notifications 09:11:03 ... type indexes are most at risk 09:11:33 ericP has joined #lws 09:11:40 present+ 09:11:59 acoburn: Outstanding features that we need to clarify. Access Requests are an open pull requests. Hopefully today we will narrow in on consensus. Similarly for notifications and type indexes 09:12:09 ... we may decide to drop one and have all 3 09:12:54 ... From a prioritisation perspective, if we are not doing access control at all -- then access requests provides a way for at least requesting access to resources. 09:13:14 we could have access grants without notifications 09:13:19 bendm: There is a fine line between access requests, and access controls 09:13:23 q? 09:13:27 ack next 09:13:28 jeremycaine, you wanted to ask about external acl specification 09:14:07 jeremycaine: You have these external entities that are going to be doing things for you. When you describe access requests, is that not the interface that external entities interact with the access control system 09:14:39 acoburn: Yes, access requests are higher level. Everything that you can do in access requests, can also be done with an access control language. 09:14:55 ... so the question is what is a minimal high level interface for agents to request acess. 09:15:02 ... that is the extent of the scope of that feature 09:15:04 q+ 09:15:18 bendm: I understand that in there we could have a hook to an access control language 09:16:03 termontwouter has joined #lws 09:16:13 acoburn: We will get into that in a bit. We are using ODRL as a baseline, but even that is as baseline. One could map that to different kinds of policy languages. It could be anything. It just requires some kind of a mapping. But that becomes an implementation detail 09:16:41 ... one could also imagine that there is an ODRL profile and then it is a trivial 1:1 mapping between the content of the access request and the access control 09:18:12 jeswr: Could we not take the ODRL profile we have for access requests and make that our access control language for 1.0 09:19:20 ... or at least an access control profile for LWS 09:19:53 acoburn: Yes we could 09:20:47 jeremycaine: Is access control any easier or harder than the way you have defined containers 09:21:24 scribe+ 09:22:15 jeswr: will need multiple access profiles for the different uses cases 09:23:07 ... what LWS currently does, this is the interface by which you can modify access control 09:23:45 acoburn: for certain use cases there are needs for complicated accesstrol policies 09:23:59 ... but if we define that level of complexity for everyone its a real burden 09:24:11 q? 09:24:12 q+ 09:24:30 ... 80% could get by with something simple and straightforward without everyone doing some complicated arcane structure 09:24:50 jeremycaine: if you make it too simple, it wont work for an enterprise example 09:25:19 acoburn: exactly. so for the group to leave out of scope or make it an implemntation detail 09:25:36 ... anything related to security...it is a constantly moving target 09:25:50 q? 09:25:50 ... in 2years, may be so out of data leaving LWS not so useful 09:25:58 ack termontwouter 09:25:58 termontwouter, you wanted to ask about scoping of authentication 09:26:35 termontwouter: Given that we put access control out of scope, how does the authentication method still relate it 09:27:49 present+ 09:27:52 acoburn: Nobody objects to OAuth. HTTP also provides a mechanism for negotiating for other things. Technically we are not mandating that everyone implement OAuth. We are making OAuth a baseline for interoperability. 09:28:07 ... What we describe in the specs today says if you are using OAuth, use it correctly 09:28:32 ... Other challenges could come back (e.g. GNAP, UMA, etc.) but that is not a requirement of LWS. 09:28:57 ... You could also support HTTPSig 09:29:25 s/accesstrol/access control 09:29:38 termontwouter: Whatever the choice of mechanism, why define ??? 09:30:08 acoburn: This is the balance between having enough guidance for interop, whilst also leaving things open-ended to build upon 09:31:15 ... so we are giving profiles (e.g. OpenID, SAML, Server side agents) 09:32:07 ... which are rec track documents. Servers are not required to implement any of the specific profiles. 09:33:02 q+ to mention evolution of specs 09:33:05 pchampin: Think of them like modules, someone could also define their own profiles and plug them in. But they would need a good reason to do so rather than use the ones we define 09:33:12 ack jeswr 09:33:22 ack next 09:33:45 laurens: The larger we make the specification in terms of MUSTs, the more complicated we make it to define implementations 09:34:17 ... what we have seen with Solid in the past is that there was a big surface to cover on the server side 09:34:29 ... whilst our use-cases were much smaller than what was defined 09:34:38 ... and this cost did not end up benefitting adoption 09:35:53 ... Having OAuth as a basline is also very beneficial. It is quite popular in places like MCP and we could benefit from implementing profiles of what they have 09:36:02 q+ 09:36:03 ack next 09:36:04 elf-pavlik, you wanted to mention evolution of specs 09:36:41 q- 09:36:47 elf-pavlik: We discussed earlier, if the ecosystem of authentication evolves -- there is something better in 5 years it will be easier to plug that in. 09:37:10 ... having that mechanism is more important than one specific suite 09:37:49 q? 09:37:51 woutertermont: If the server is required to declare what authentication method it supports. Then there also needs to be a "micro" specification defining what identifier refers to which spec 09:39:03 elf-pavlik: So you use something like a WWW-authenticate header to determine what the authentication method is 09:39:58 termontwouter has joined #lws 10:04:08 gibsonf1 has joined #lws 10:04:13 present+ 10:04:36 jeremycaine has joined #lws 10:04:36 acoburn: summarizes previous hours 10:05:08 ... Let's wrap up the scope, timeframe, and mechanics for a possible extension 10:05:47 elf-pavlik has joined #lws 10:06:00 ... Scope: delineate the currently open-ended scope; emphasize what's IN and what is OUT 10:06:52 pchampin: By declaring the scope closed, we would need to recharter if afterwards we already want to move on. 10:07:51 acoburn: As general timeframe, I proposed to aim for a CR this fall (2026), TR fall 2027, which leaves us one year of 'maintenance mode'. 10:08:05 elf-pavlik: Which specific documents? 10:08:25 acoburn: All the rec-track ones 10:08:55 ... we can always descope things if they become at risk 10:09:12 bendm: Is it common to have a year of maintenance mode? 10:10:30 pchampin: Increasingly so as a good practice nowadays, though sometimes dormant.It also gives a good start for starting discussion and chartering a possible next version. 10:11:02 s/dormant.It/dormant. It/g 10:12:52 bendm: Then we can also list features that we want to keep possible in 1.0 without actually specifying it yet? 10:13:27 acoburn: Yes. In particular what other specifications could possibly take up separately. 10:14:22 ... Let's write this down as a proposal; summarized, not rewriting the charter right now. 10:15:37 RRSAgent, make minutes 10:15:39 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html pchampin 10:17:33 bendm: Maybe we should also add the decision to aim for a recharter. 10:19:55 acoburn has joined #lws 10:20:00 scribe+ 10:22:21 s/woutertermont/termontwouter/ 10:23:01 ryey has joined #lws 10:23:50 PROPOSAL: The LWS WG will pursue an administrative extension in order to focus on working on a new charter document. 10:23:58 q? 10:24:02 +1 10:24:02 +1 10:24:03 elf-pavlik has joined #lws 10:24:04 +1 10:24:09 +1 10:24:10 +1 10:24:12 +1 10:24:18 +1 10:24:19 +1 10:24:21 +1 (guest) 10:24:22 +1 10:24:32 RESOLVED: The LWS WG will pursue an administrative extension in order to focus on working on a new charter document. 10:24:36 +1 10:24:40 +1 10:24:54 PROPOSAL: The LWS WG will focus on the current deliverables during the remainder of the existing charter 10:24:59 +1 10:25:00 +1 10:25:00 +1 10:25:01 +1 10:25:01 +1 10:25:01 +1 10:25:02 +1 10:25:04 +1 10:25:08 +1 10:25:09 + 10:25:12 +1 10:25:12 +1 (guest) 10:25:18 RESOLVED: The LWS WG will focus on the current deliverables during the remainder of the existing charter 10:25:30 PROPOSAL: The next LWS WG charter will focus on reaching REC status for version 1.0 10:25:34 +1 10:25:35 +1 10:25:37 +1 10:25:37 +1 10:25:37 +1 10:25:38 +1 10:25:38 +1 10:25:39 +1 10:25:41 +1 (guest) 10:25:48 +1 10:25:53 RESOLVED: The next LWS WG charter will focus on reaching REC status for version 1.0 10:26:06 PROPOSAL: The next LWS WG charter will include a maintenance period 10:26:08 +1 10:26:10 +1 10:26:10 +! 10:26:11 +1 10:26:11 +1 10:26:11 +1 10:26:12 +1 10:26:13 +1 10:26:14 +! 10:26:15 +1 10:26:15 +1 (guest) 10:26:16 +1 10:26:35 RESOLVED: The next LWS WG charter will include a maintenance period 10:26:44 PROPOSAL: The timeframe goals for LWS deliverables includes: CR by Fall 2026, TR by Fall 2027 10:26:45 +1 10:26:46 +1 10:26:47 +1 10:26:47 +1 10:26:49 +1 10:26:49 +1 10:26:49 +1 10:26:51 +1 10:26:51 +1 10:26:53 +1 10:26:53 +1 (guest) 10:26:55 +1 10:27:02 RESOLVED: The timeframe goals for LWS deliverables includes: CR by Fall 2026, TR by Fall 2027 10:27:28 acoburn: Let's move on to the next topic, which is Access Requests 10:29:38 q+ 10:31:33 zakim, open agendum 3 10:31:33 agendum 3 -- Container features and proposals -- taken up [from agendabot] 10:31:56 agenda? 10:32:34 agenda: https://www.w3.org/events/meetings/fed3ebd2-1330-4853-8ec4-12442c47e32c/#agenda 10:32:34 acoburn, sorry, I did not recognize any agenda in https://www.w3.org/events/meetings/fed3ebd2-1330-4853-8ec4-12442c47e32c/#agenda 10:32:54 topic: Access Requests 10:33:17 s/agendum 3 -- Container features and proposals -- taken up [from agendabot]/ 10:33:37 Access Requests PR -> https://github.com/w3c/lws-protocol/pull/106 10:33:38 https://github.com/w3c/lws-protocol/pull/106 -> Pull Request 106 Add editors draft for LWS Access Requests and Access Grants (by acoburn) 10:34:45 acoburn: I'd like to set as a goal that we get consensus on what we want this proposal to be, and clarify what we still want to change and how. 10:35:05 RRSAgent, make minutes 10:35:06 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html termontwouter 10:35:50 acoburn: The (currently separate) document does three things 10:36:15 ... it allows the actor to request access to resources 10:36:50 ... it defines the semantics of a grant to do specific actions on resources 10:37:30 ... and it defines how to specify profiles that use this model with a specific policy language. 10:38:47 ... The examples use JSON-LD, but the data model is completely abstract, separate from any serialization. 10:39:28 scribe+ 10:41:28 acoburn: The high level model of a request consists of a type, a notification inbox, a storage identifier, and an array of access objects 10:42:21 q+ to ask about target 10:42:28 eBremer: We should make clear that JSON-LD arrays are unordered. 10:43:38 acoburn: An access object defines what access is being requested, and is specified in the profile. 10:43:48 q+ to ask about storage (as recipient), see also https://github.com/w3c/lws-protocol/pull/106#discussion_r3009771501 10:43:53 ... I'd like to have some input on certain questions. 10:44:24 ... First, I wonder if hasPurpose should be part of the access object or of the request as a whole. 10:45:20 ... The rest of the access object consists of a target, an array of actions, and an array of constraints. 10:45:31 ack next 10:45:38 laurens: Are the constraints additive? 10:45:45 q+ to ask about specific profile identifier 10:45:50 acoburn: Yes 10:46:03 ack next 10:46:04 gibsonf, you wanted to ask about target 10:46:05 bendm: Can we do disjunctions as in ODRL? 10:46:25 acoburn: No, it is a subset. 10:46:32 gibsonf1: Why do we have a type on the target? 10:46:54 q+ for purposes; maybe also interplay of multiple access items (over same resource), and partial grants 10:47:54 laurens: To make the request self-contained. For example if a container changes to a resource, in which policies on the first apply to its children, but the latter on the resource itself. 10:48:36 acoburn: We also might not know the exact URL, so we need an indication of how to interpret the values. 10:49:27 q+ 10:49:49 q- 10:50:06 gibsonf1: The server knows what is at the URI. Reusing URIs is confusing, plus the request would have been decided upon by the resource owner, who should be aware of this change. 10:50:20 ... I would refrain from putting semantics about the resource in the access request. 10:51:43 acoburn: Going back to use cases. When someone requests data, it is often the case they don't know the URLs, but they do know the type. 10:51:47 +1 from SAI access needs on only knowing type/shape 10:53:53 ... We define target as a term with a type and a value. The type is an extension point to indicate how to interpret the values (paths, categories, resources...). 10:54:48 gibsonf1: I understand the StorageResource type, but not the Container vs DataResource types. 10:55:05 q+ 10:55:39 ... It would be more helpful to have types like PhotoAlbum or Friends etc. 10:56:24 acoburn: I'd expect there to be other types. We kept this minimal because of the work on Type Indexes. 10:56:44 ... The three provided options are about literal locations, but this is not a requirement. 10:57:09 jeremycaine: I think we are mixing up type and metatype. 10:57:46 Confusion is probably only on these three terms (and the intention of types used for other stuffs is less confusing). I suggest changing `DataResource` + `Container` + `StorageResource` to `Resource` + `AllSubResources`? 10:58:09 elf-pavlik: It is the type of targeting method, not the type of resource. 10:58:38 acoburn: Indeed, and this would also depend on the underlying policy language. 10:58:48 q? 10:58:52 +1 to ryey here, maybe the terms could be clearer in what their usage entail / what their goal is 10:59:51 +1 to clarify naming 10:59:53 uvdsl: Maybe we should rather define the types by the functionality you want to achieve. For example the container itself vs the child resources... 11:00:38 +1, this clarifies the fact that "type" captures the intent of the requester (and therefore how to interpret the "value") 11:00:56 Sure. Will do now 11:00:59 elf-pavlik has joined #lws 11:01:22 ack next 11:01:23 uvdsl, you wanted to ask about storage (as recipient), see also https://github.com/w3c/lws-protocol/pull/106#discussion_r3009771501 11:02:22 uvdsl: I commented on the initial draft of Access Requests, and I understand the storage field as pointing to the 'recipient' of the action/grant. 11:02:44 ... Would this not better be modeled as the 'audience'? 11:03:03 +1 user centric flows 11:04:12 ... That would decouple it from the storage location, and allow user centric approaches where a grant gives access to resources on different storages. 11:04:18 I may have a different opinion than uvdsl of the "recipient" (already in queue) 11:04:45 acoburn: Good idea. Would this still be required? 11:04:57 uvdsl: I feel like it should. 11:05:21 pchampin: But this would be posted to the inbox which is discovered at the storage? 11:05:27 q? 11:05:30 acoburn: Not necessarily, that is just one option. 11:05:35 ack next 11:05:36 bendm, you wanted to ask about specific profile identifier 11:05:47 q- 11:06:39 ryey: My main reservation here is that as the recipient, why would it need to be present? 11:07:04 uvdsl: That is why 'audience' is a better concept here. 11:07:18 q+ to suggest defining storage manager term 11:07:59 ... Similarly, this would allow requests to be made without knowing the storage location (cf. Google Drive) 11:08:43 ... The main difference is that storage is a technical perspective. 11:09:11 ryey: There are arguments for both aspects. 11:09:43 uvdsl: The value of this 'audience' property could cater to both. 11:09:53 q+ to ask about terminology since 'storage' in the Terminology section of core spec; we are discussion enumeration of audience (storage, user etc) 11:09:57 ryey: Should that be a single value or an array? 11:10:02 q+ 11:10:19 acoburn: I'd think a single value 11:10:40 uvdsl: The audience of JWTs can be an array 11:12:00 acoburn: A quick followup. The audience from a request should translate smoothly to the one in a grant. Can we have an array there as well? 11:12:44 elf-pavlik: In SAI, grants are scoped to single storages, because they are used as credentials. 11:13:01 acoburn: But here grants are not used as credentials. 11:13:23 elf-pavlik: As long as they are never exposed to other storages, it's a possibility. 11:13:51 uvdsl: I think there is no issue with having an array in grants as well. 11:15:26 ... Though the authorization server would probably want to limit the audience of the grant to the specific storage. 11:17:30 ack pchampin 11:17:31 pchampin: My interpretation of the storage field is that this coincides with the owner/inbox where the request/grant was posted, and thus neither the requester nor the assignee. 11:18:34 uvdsl: But in the grant the same field was used as 'sender', or 'assigner'. 11:18:50 elf-pavlik: How would we use the value of such a field? That would be helpful. 11:19:41 acoburn: Storage was meant as a high-level scoping mechanism, as a 'realm' of data. 11:21:16 ryey: For me, it should be a single value, and not an array, since the information it adds is to inform the requester. Multiple ones muddle this information. 11:22:36 acoburn: Given that it is a very high-level security API, I also think we should value clarity over extensibility. So I'd be inclined to have a single value too. 11:23:23 uvdsl: I'm fine with either, but maybe there are use cases that might require it. 11:23:39 acoburn: Worst case, one can emulate this with multiple requests. 11:23:42 elf-pavlik has joined #lws 11:23:56 q+ to ask is access request for the client to access a resource from LWS server, or access request for LWS server to an external thing e.g. the stored item 11:24:18 bendm: What do we decide on the kind of audience? 11:25:08 scribe+ 11:25:21 termontwouter: if we want to allow this kind of broader, non-storage, audience 11:26:05 ... to support something like "I want to see all your photos (wherever they are stored)" to a user 11:26:11 ... what would the grant look like? 11:26:52 acoburn: imagine I have 5 different storage providers, and someone sends a request to see photo of my recent trips 11:27:05 ... and that those photos are spread on 2 of my 5 storages 11:27:43 ... I am the audience of the access request, I would create two access grants, one per storage 11:27:56 termontwouter: so the grant is not a copy-paste of the request 11:28:11 acoburn: there is a relation, but this is not copy-paste 11:28:27 ... if your request access to a type, I would grant you access to a location 11:28:35 q+ 11:29:12 ack next 11:29:13 ryey, you wanted to discuss purposes; maybe also interplay of multiple access items (over same resource), and partial grants 11:29:23 scribe+ 11:29:32 scribe- 11:29:35 q+ to ask about profile identifier 11:31:17 ryey: The hasPurpose and constraint fields seems exceptional in that they are not something the LWS server knows about. Maybe we should group this in one object (constraints)? 11:32:27 q+ to ask about purpose - woldn't that just be a message to the resource owner? 11:32:30 acoburn: I concluded the opposite. A server is indeed going to have a hard time enforcing a purpose. Constraints, as I understand them, will be enforced at evaluation time. 11:32:46 q+ to clarify ODRL constraints 11:34:29 ryey: My rationale is that constraints are an extension point, and are therefore not necessarily enforceable. For example whether the data is going to be processed locally. 11:34:41 q? 11:35:38 scribe+ 11:36:35 termontwouter: this is not stctrictly ODRL model ... assignee is also a constraint... 11:36:45 0 11:36:57 STRAWPOLL: should "purpose" be merged into "constraints" 11:36:57 laurens has joined #lws 11:36:58 I'm not sure what purpose would mean at all for a server 11:37:07 -1 11:37:10 +1 11:37:11 -1 11:37:32 acoburn: ODRL purpose goes inside of constraint block 11:37:33 +1 11:37:47 +1 (follow ODRL) 11:37:54 0 11:38:07 wouldn't purpose only be understood by the resource owner as opposed to the server? 11:38:08 +1 because it would allow discover servers that support purpose 11:38:10 0 11:38:49 acoburn: servers may not be able to enforce 11:38:51 q+ to ask how a server would theoretically enforce purpose 11:39:04 laurens: do we need to spec it, one can put it into ODRL 11:39:35 acoburn: we can add it into constraints or leave it out 11:39:48 A Server could advertise supported constraints, that could include a constraint on purpose (if a server finds a way to enfoce it) 11:40:40 pchampin: i sympathise with idea that ODRL supports it, it is still wip, semantics are still being defined, constraints in ODRL are to flexible for interop, that's why i voted -1 11:41:16 ... there are two options, enforcable constraints other constraints that include purpose etc. i see value in separating both 11:41:30 ... mixing it together doesn't feel right 11:42:11 termontwouter: you can't split up constraints into two groups, some can only be enforced in audit, you can't clear cut it off 11:42:25 ... it may be required for constraints to define how they apply 11:42:57 laurens: i think for now we define only minimum constraints that can be enforced at requires time, other can be added up to implementers to do that 11:43:13 ... we should start only with what's possible at request time 11:43:51 uvdsl: there's also an option to add discovery aspect for servers, clients can only expect what server advertises, so client doesn't shoot request into dark 11:44:17 ... instead client checks beforehand, for purpose it would know which one is supported 11:44:45 Similar to https://solid.github.io/web-access-control-spec/#acl-resource-condition-discovery 11:44:52 ack pchampin 11:45:01 acoburn: to your point about constraints, jeswr and I, we had idea that a lot of values represented in access token at some point are validated 11:45:12 ... issuer client id, there is some mechanism to validate it 11:45:40 ... it is really hard to validate client assertions for how something is to be used, client can make one claim but do something else 11:46:10 ... if there is a some constraints for purpose, in access grant or set of ag, there is purpose a and purpose b 11:46:43 ... we can then supply link header in response to indicate this is purpose a this is purpose b, that would be one thing that we could do 11:47:18 uvdsl: i was saying that weather or not a particular constraint.... my suggestion was that server can advertise what they support 11:47:37 +1 for servers declaring supported constraints 11:47:38 ... server can say my engine allows for this or that constraing 11:48:18 ... if the client approaches a server stating it's purpose, and the server can check what the client has stated based on policy 11:49:03 uvdsl: i agree with link header which could be a hint 11:49:31 ... client can also have a purpose in the token used for request, server could check asserted purpose if it matches what policy says 11:49:56 uvdsl: that would provide technical foundation for argument of misuse 11:50:27 acoburn: one could build rich authz request on top of what we have, this would allow to add purpose in the entire interaction 11:50:50 ... we could add in the discovery document indicate which constraints are supported by the server 11:51:06 ... all of which leads to moving the purpose to the constraints object 11:51:30 ryey has joined #lws 11:52:12 pchampin: it may be harder to figure out what is being supported, especially if discover is via user's id not the storage 11:53:02 ...: some servers can enforce it some not, we may not rely on discovery of specific capabilities before asking 11:53:38 jeremycaine: lws client, makes request to the server eg. give me photos 11:53:50 ... server has multiple storage managers 11:53:58 acoburn: the owner has a role to play there 11:54:20 jeremycaine: server consults icloud photos, medical photos etc. 11:54:34 ... decides which photos to grant access to 11:54:48 ... client may receive only some of the exising photos 11:55:03 acoburn: i would imagine that owner of the data will be involved in those negotations 11:55:29 ... you would get a notification and had UI as owner to make the decision 11:55:45 ... you created the request, i create the grant saying what you have access to 11:55:54 ... access policies get updated accordingly 11:56:01 ... the grant is just a receipt 11:56:21 jeremycaine: i have evernotes, which could be lws connecting to various systems 11:56:40 ... request comes for photos, i will not allow access to some sensitive photos 11:57:06 acoburn: request allows me to describe what i'm looking for, the purpose would be one of those things 11:57:14 ... you would respond, or ignore it, 11:57:49 q? 12:02:14 acoburn has joined #lws 12:02:20 q? 12:02:25 ack next 12:02:26 elf-pavlik, you wanted to suggest defining storage manager term 12:02:28 ack next 12:02:29 jeremycaine, you wanted to ask about terminology since 'storage' in the Terminology section of core spec; we are discussion enumeration of audience (storage, user etc) and to ask 12:02:29 ... is access request for the client to access a resource from LWS server, or access request for LWS server to an external thing e.g. the stored item 12:09:12 ack next 12:09:13 bendm, you wanted to ask about profile identifier 12:25:33 present+ 12:35:48 bendm has joined #lws 12:35:53 present+ 12:35:58 scribe+ 12:36:01 termontwouter has joined #lws 12:37:08 bendm: how is the access request/grant structure linked to a profile identificator? 12:37:35 acoburn: we're currently using the lws#AccessProfile identificator 12:37:49 ... other profiles may have different features/qualities 12:38:47 bendm: so how is a grant body linked to a specific profile identifier? 12:38:57 acoburn: there's a type filed 12:39:02 s/filed/field 12:39:23 acoburn: so a wac profile would have type WacPolicy 12:39:31 q? 12:39:34 ack next 12:39:35 gibsonf, you wanted to ask about purpose - woldn't that just be a message to the resource owner? and to ask how a server would theoretically enforce purpose 12:40:00 gibsonf1: the purpose of purpose 12:40:17 ... this is more a human understanding kind of thing? 12:40:28 jeremycaine has joined #lws 12:40:34 present+ 12:40:47 acoburn: yes, there are things that you might need to enforce in a legal way 12:41:11 ... we are not formalizing how a client makes use of this purpose, but it enables regulatory enforcement 12:41:25 gibsonf1: it feels like it wants to be a string? 12:41:41 https://www.w3.org/community/dpvcg/ 12:41:47 jeswr: there's a set of DPV vocabularies (live with ODLR), with a large set of purpose terms 12:41:51 elf-pavlik has joined #lws 12:42:08 gibsonf1: but a client enforcing usage controls, what does that mean? 12:42:20 jeswr: in the scope of digital rights management 12:42:47 ... e.g. within a bank, there's software infrastructure, where data being collected is only used for their specific purposes 12:43:00 acoburn: it's more about auditability than enforcement 12:43:21 ack next 12:43:22 termontwouter, you wanted to clarify ODRL constraints 12:43:47 termontwouter: about declaring the access request service 12:43:58 ... does it mean an access request is tied to the storage? 12:44:10 ryey has joined #lws 12:44:11 ... does a storage only provide one for all its resources? 12:44:54 acoburn: access request service can be separate, but they could be deployed together as well 12:45:11 acoburn: you could also have multiple access request services, e.g. for different profiles 12:45:54 acoburn: next: serialization 12:46:04 ... the idea: jsonld serialization is one possible serialization 12:46:25 ... the datamodel is independent of serializatoin 12:47:01 ... the protocol states: access request and access grant endpoints are LWS containers 12:47:12 ... some things 12:47:34 ... one: the access controll properties within such a container might act a bit different than in a 'normal' container 12:47:42 q+ to clarify request service API 12:48:05 ... there might be need for particular behavior, e.g. a particular agent could manage all requests, or only a specific set of requests 12:48:20 ... the details, I moved to security and privacy considerations 12:48:25 q+ to ask about nature of access requests 12:48:28 jeswr: this was based on the way inboxes work 12:48:30 q+ to ask about ACL in access request/grant endpoint 12:48:46 ... we are defining containers in a way that are inspired by LDP 12:49:02 ... I could imagine implementations that state: LWS + set of restrictions === LDP 12:49:25 ... could we think of similar constraints so that LWS + set of restrictions === LDN inbox? 12:50:01 acoburn: I had activitystreams in the back of my head 12:50:13 ... for reasons, we don't want to pull in the entire LDP spec 12:50:17 ... we could clarify that more 12:50:44 elfpavlik: useful reference is social web WG note where Amy wrote how activitypub relates to this. 12:50:55 s/elfpavlik/elf-pavlik 12:51:17 acoburn: there's a notification section: this section is intentionally vague 12:51:22 q? 12:51:25 ack next 12:51:26 termontwouter, you wanted to clarify request service API 12:51:52 termontwouter: why should we define the API for the access request / grant service? given there's already a profile 12:52:16 ... we don't really separate that kind of request from the OAuth request, which transfers the same info 12:52:24 acoburn: profile defines the datamodel 12:52:49 ... defining the API here was defining something generic 12:53:07 ... it could go into the profiles 12:53:51 Ben, can you again elaborate on how your solution works? 12:54:20 termontwouter: having the protocol either as part of the profile, or as a separate profile would make sense 12:54:46 q+ to ask for clarification 12:54:51 acoburn: we could move that right now, to keep flexibility 12:55:06 q- 12:55:23 q? 12:55:37 acoburn: security and privacy considerations would be part of thread modeling excercise 12:56:31 ... the profile we want to define should be general-purpose and as simple as can be 12:56:56 ... taking ODRL profile, underlying layer of WAC would need a translation to the actual WAC execution 12:58:02 jeswr: I propose we say we can use the ODRL access request also feasible for access control language 12:58:12 acoburn: I think one could use that, but it's not necessary 12:58:28 ... I propose to keep out of scope, so existing systems can still be used 12:58:58 jeswr: I'm building an authz mgmt browser extension 12:59:01 q+ to mention that SAI uses access grants as access control source of truth 13:00:01 q+ to ask about ODRL profile as access control, with editors; also about not necessarily access control language 13:00:24 ... you could issue your access request to that extension, so granting access can be done in a popup (nothing to the server yet), which could then be translated to access control update 13:00:44 ... so wherever you want to issue an access request, you might want a client that can issue that as a change to access control 13:01:22 acoburn: I don't think our proposal prevents what you're describing 13:01:36 ... so, yeah, it looks like that's possible, let's round off here 13:01:47 q- 13:02:05 ack next 13:02:06 gibsonf1: so, access grants, are effectively receipts? server could then interpret that to access control as that server sees fit? 13:02:07 gibsonf, you wanted to ask about nature of access requests 13:02:30 ... so if that grant is deleted, that access control is also deleted? 13:02:46 q+ to ask about (notification of) revocation 13:02:51 ... is it the only way to give access? 13:02:58 acoburn: it's one way, we hope one that's interoperable 13:03:11 ... if you have other ways to achieve that, access requests shouldn't prevent that 13:03:31 gibsonf1: if this were the only way, it solves different servers having different WAC vs ACP etc 13:03:44 acoburn: in principle, it would provide a high-level interface 13:03:54 ... it doesn't prevent you from working on that lower lever 13:04:08 gibsonf1: in LWS spec, will this be the only spec'd way to do it? 13:04:42 acoburn: a conforming LWS implementation doesn't need to support this to be conformant 13:04:52 ... but if it wants to implement this feature, this is how to do it 13:05:09 gibsonf1: I suggest to just require this 13:05:20 ... to make interop easier 13:06:00 acoburn: so, suggestion is that all servers support at least this access request/grant grant 13:06:07 does this work with the "profile approach"? 13:06:28 jeswr: I get the access request/grant way, not the ODRL profile 13:06:54 acoburn: in the doc today, we describe a profile, but don't require it 13:07:05 ryey has joined #lws 13:07:13 ... we could require access request / grant, but not enforce the specific profile 13:07:23 pchampin: can I just pop a grant out of the blue? 13:07:24 acoburn: yes 13:07:40 pchampin: so that would be a replacement of finding and patching the ACL resource? 13:07:51 acoburn: not necessarily a replacement, but a higher-level API 13:07:54 I hope not 13:08:02 re pchampin... 13:08:34 termontwouter: so you could move the requirement of the feature to the core, and have the profile as a separate doc 13:08:42 pchamping: yes, but that's an editorial decision 13:09:11 uvdsl: Is then the access grant the normative source for authz? or the higher-level interface? 13:09:21 acoburn: the latter, the higher-level interface 13:09:35 ... we're not specifying the lower-level 13:09:47 uvdsl: so if I delete a grant, is the authz still in place? 13:09:57 gibsonf1: I'd say no 13:10:41 acoburn: if I were writing an implementation, I would have the authz rules follow the existence of the grant 13:11:20 pchampin: the current spec does state that the existence of the grant is leading 13:11:44 q? 13:11:54 q+ 13:12:21 laurens: the implementation may choose to do something specific, e.g. WAC, and additional rules on top of the grants can happen, but that's not materialized to the access grants 13:12:24 ack next 13:12:25 elf-pavlik, you wanted to mention that SAI uses access grants as access control source of truth 13:13:06 elf-pavlik: implementer feedback: I just do queries on top of the grants to grant access, that's possible 13:13:10 ack next 13:13:11 ryey, you wanted to ask about ODRL profile as access control, with editors; also about not necessarily access control language and to ask about (notification of) revocation 13:14:25 ryey: access grants as source of truth: it works alright if we require an access control policy under the hood, but if we look into other possibilities, the policy is not an access control policy 13:14:42 ... I see difficulties trying to implement this in the policy engine I'm working on 13:15:04 ... this is a mental model difference of how we see access 13:15:34 acoburn: can we make an issue about whether access request / grant layer is a source of truth? or just a layer on top? 13:15:47 q+ 13:15:53 +1 on scrutinizing whether the access grants are the source of truth for the system (also given that there might be other parallel mechanisms on-top of a dedicated authorization layer) 13:16:49 bendm: I think we may need more access control constraints below or above access grants 13:16:59 ack gibsonf 13:17:23 gibsonf1: our implementation would be: grants would be guiding on active WAC rules 13:17:43 uvdsl: that's also how I implemented it 13:17:48 "source of truth" is an implementation detail 13:17:50 q- 13:17:52 ... the interface for the user is the access grants 13:18:05 acoburn: there's the interface for describing how access works 13:18:14 ... there's interface for enforcing access controlls 13:18:29 ... the API for describing what access is given could be access request/grant 13:18:37 ... but what access is given, is on the WAC level 13:19:09 uvdsl: question is: can you require the sync? eg if you have multiple interfaces or sideload authz 13:19:24 ... or should it be a SHOULD? 13:19:24 q? 13:19:25 q+ to ask on sync 13:19:52 bendm: so it can be possible that you have lower rules that are more than what grants are exressing 13:20:16 ... eg. i can have admin account that allows me to do more than what grants are specifying 13:20:47 laurens: if implementation uses something more, i would expect that access grants i retreve to be in sync 13:21:06 bendm: if i make 5 grants, is it possible to have 7 rules where 5 are from the grants and 2 extra 13:21:17 acoburn: it seems like an impl detail 13:21:36 q+ 13:21:52 acoburn: are we going in the right direction? 13:22:09 all: nodding yes 13:22:10 +1 13:23:30 laurens: let's do terminology 13:23:32 topic: Terminology 13:23:49 RRSAgent, make minutes 13:23:50 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html termontwouter 13:23:56 me also, timbl is likely to have input on notifications 13:24:11 acoburn: I made a start on terminology 13:24:31 s/me also, timbl is likely to have input on notifications// 13:24:45 s/pchamping/pchampin 13:25:02 acoburn: i feel like we need 'Storage' 13:25:14 ... 'Resource' is from HTTP 13:25:20 ... everything else is up for debate 13:26:13 q+ to ask about storage workspace 13:26:27 ... Storage Description, Storage Workspace/Root, Container, Data Resource, Metadata Resource, Membership/Containment? 13:26:42 ... Agent, Controller/Storage Manager, Services, Capabilities 13:26:46 ... there could be other terms 13:27:08 acoburn: Storage. If you look at Solid, storage is a URI space 13:27:37 ... Storage defines the identity space 13:27:44 propose s/URI space/Resource hierarchy/ 13:28:16 ... so, within a Storage, all resources are within that URI space 13:28:20 q+ to ask about resource definition 13:28:54 ... the provider (dropbox.com) could be different from the uri space 13:28:56 q+ to propose s/URI space/Resource hierarchy/ + specifiy that it may not be the root 13:29:25 ... and you can link to other URI spaces, but all managed resources are within that URI space 13:29:26 "The target of an HTTP request is called a "resource". HTTP does not limit the nature of a resource; it merely defines an interface that might be used to interact with resources. " 13:29:48 jeremycain: at the end of the day, the Storage is the 'top of the tree'? 13:30:05 elf-pavlik: does the storage denote the root? 13:30:32 acoburn: the workspace is part of the URI space, with specific behaviors 13:30:59 ... a Storage only defines the URI space, once we're in a Workspace, it can have specific behaviors 13:31:21 ... a Workspace can have the same URI as the Storage, link in Solid, but they can also be different 13:31:29 q+ 13:31:31 q? 13:31:55 ... it gives you some models to organize things 13:32:04 +q to propose clear separation between root(s) and prefix 13:32:05 ... eg having multiple roots, things that live without the roots 13:32:21 ack next 13:32:22 gibsonf, you wanted to ask on sync and to ask about resource definition 13:32:38 q- 13:32:55 q- 13:33:08 laurens: shouldn't we clarify what we mean by URI space? 13:33:26 ... is that a set of HTTP uris, what about subdomains, etc? 13:33:38 ... my main issue is that it's a bit ill-defined 13:34:03 ack ericP 13:34:03 ericP, you wanted to propose s/URI space/Resource hierarchy/ + specifiy that it may not be the root 13:34:44 ericP: in most systems, it will not be a server root, but everyone knows what slash means 13:34:56 ... e.g. unix-like, /home/alice/bob/claire 13:35:15 ... for alice: it'll start at /home/alice, for bob it'll be /home/alice/bob 13:35:37 ... so I suggest to make it broad enough, also for people that don't maintain their own domain names 13:36:03 acoburn: conceptually, /home/alice is a storage, /home doesn't need to mean anything 13:36:12 ericP: are we prohibiting? 13:36:34 ... e.g. can a storage be within another container? 13:37:35 q+ to ask about storage as top level secure space 13:37:48 acoburn: here, we're talking about /home and /home/alice: /home is out of scope for LWS 13:38:54 ericP: so, we are indeed prohibiting that a LWS server has /home as container, cannot specify /home/alice as storage? 13:39:15 termontwouter: but they can both storage roots, right? 13:39:34 acoburn: I would state that storage roots are non-overlapping 13:40:15 jeremycaine: so you should never be able to go from one storage to another storage? 13:40:47 acoburn: yes, but that's rather an implementation detail 13:41:05 acoburn: storage is conceptual URI hierarchy/space, the workspace has particular behaviors 13:41:36 laurens: would an access request audience be the storage or the storage workspace? 13:41:59 termontwouter: can we keep storage as the higherlevel thing, and rename the current to Storage Namespace? 13:42:44 acoburn: I like workspace, to disambiguate from 'Root' as that's both a hierarhcy root as a URI root 13:42:46 q+ 13:42:51 q+ to ask about storage as a container itself 13:42:53 q- 13:42:58 ack laurens 13:43:10 laurens: should we clarify that it's an http namespace? 13:43:25 ... and further narrow that down? 13:43:32 ... or keep it vague? 13:43:43 acoburn: for me, someone could use a different URI space 13:45:23 bendm: but there's already a lot HTTP dependency in the spec, so we could just be specific from the start. 13:45:45 acoburn: we could allow DID, as many DID ids have an HTTP interpretation 13:46:52 The actual definition in the spec of a resource: "3.1. Resources 13:46:52 The target of an HTTP request is called a "resource". HTTP does not limit the nature of a resource; it merely defines an interface that might be used to interact with resources. Most resources are identified by a Uniform Resource Identifier (URI), as described in Section 4." 13:47:04 jeremycaine: so if we start from HTTP, and going to Resource, does it have to be HTTP? 13:47:34 laurens: we collapsed RESTful bindings, so now everything is HTTP 13:48:02 q? 13:48:22 ... in an LWS 2.0, we could decouple actions from protocols, but for now I wouldn't 13:49:27 jeremycaine: suggest to simplify: Storage Namespace and Storage Workspace 13:49:38 q- 13:49:51 ack next 13:50:10 pchampin: explicit notion of namespace is good, but we don't specify storage anymore 13:50:44 ... for my understanding, in solid storage namespace and workspace are collapsed 13:51:10 ... so this definition, a namespace can have multiple workspaces 13:51:15 ... what does this distinction buy us? 13:51:42 q+ to ask that Storage itself should be identical to a container when an interface made to it for that data 13:52:39 acoburn: example: storage namespace is https://storage.example/ 13:52:39 storage workspace is https://storage.example/ws/ 13:52:55 acoburn: you can have https://storage.example/sparql/ 13:53:01 ... part of the storage, but don't conform to LWS 13:53:37 ... and you can have multiple workspaces 13:53:56 eBremer: so is the namespace a template for all the URIs? 13:54:03 ... a prefix for everything? 13:54:12 elf-pavlik: like void:prefix 13:54:37 acoburn: yes, but not everything is RDF 13:55:01 pchampin: so storage NS has multiple workspaces (that are LWS containers) and can have other things 13:55:18 q+ to ask about UC for multiple workspaces 13:55:45 ack gibsonf 13:55:45 gibsonf, you wanted to ask about storage as a container itself and to ask that Storage itself should be identical to a container when an interface made to it for that data 13:56:23 q+ 13:56:56 gibsonf1: so could you have a storage that is also a workspace, and have as many hierarchies you want below 13:57:30 ... issue of ldp is the nature of ldp:contains as only form of hierarchy 13:57:52 ... so could we have different semantic hierarchies within a workspace? 13:58:47 q? 13:59:10 ... needs to leave .... 13:59:40 acoburn: question is, do we need a notion of workspace? 13:59:59 ack TallTed 14:00:28 TallTed: there is a blurring between the 'client' and 'server' perspective 14:00:55 ... recognize that the server concept of root needs to be distinguished from the client concept of root 14:01:25 ... LWS should be usable for more than Solid implementation pattern 14:01:53 ... that separation between what works for LWS and what works for Solid should be kept in mind 14:02:01 q+ 14:02:09 acoburn: cfr blurriness, that's why I want clear definitions 14:02:37 ack elf-pavlik 14:02:37 elf-pavlik, you wanted to ask about UC for multiple workspaces 14:02:39 ack next 14:02:49 q+ 14:02:52 q+ 14:03:06 elf-pavlik: is there a clear usecase for multiple workspaces? 14:03:54 acoburn: depends on how storage description is structured 14:04:31 ... #117 14:04:32 https://github.com/w3c/lws-protocol/issues/117 -> Issue 117 Clarifications around containers and roots (by kaefer3000) 14:04:35 bendm: if you want to have sparql services, then you need a distinction between workspace and storage, and you may as well allow mutiple workspaces 14:05:43 ... Storage (concept) vs Storage Identifier (globally unique id) vs Storage Description Resource 14:06:20 acoburn: Storage Description Resource could specific ID, multiple workspaces. if you workspace root is the same as your storage ID, you get the Solid scenario 14:07:03 ... at some point, you need a reference from the storage to a 'this is a place where you can start writing' 14:07:26 q? 14:07:29 ack next 14:07:30 elf-pavlik: yes, but then you need to prompt the user for which workspace to use 14:07:56 pcahmpin: I see difference between storage and workspace is still useful 14:08:17 ... storage is 'all resources', workspace is 'a specific set of resources' 14:08:18 +1 to definitions of pchampin 14:08:41 q+ to ask about parallels to cloud object service and buckets and folders 14:08:45 pchampin: 1-to-1 relation is simpler, but distinction is useful 14:08:56 q? 14:08:57 s/pcahmpin/pchampin 14:08:57 +1 pchampin 14:09:04 ack next 14:09:32 laurens: in making this distinction between storage namespace and workspace: what does that buy us in terms of authz and authn? 14:11:54 bendm: only storage workspace conforms to lws or the storage as well? 14:12:53 pchampin: the storage has one identified controller, in my opinion 14:13:05 ... the workspace are the containers (which could be only one) 14:13:41 q- 14:13:48 storage = service provide by LWS compliant system 14:13:50 laurens: a simpler way of approaching: a storage is realizing some operations on logical resources, rather than saying something else 14:14:54 q+ 14:15:00 ... I would like to say: a storage may contain one or more collections of resources managed by one subject 14:15:10 termontwouter: I like the logical aspect of that 14:29:26 q+ to ask: are we conflating the idea of a Storage with the Service providing the storage (in terms of services supported by the overall service etc) 14:29:54 scribe+ 14:30:40 laurens has joined #lws 14:30:43 present+ 14:30:45 q+ 14:31:01 ack next 14:31:02 jeremycaine, you wanted to ask about parallels to cloud object service and buckets and folders 14:31:06 TallTed: multiple services may use the same directory; this leads to security issues that we will need to discuss later 14:31:19 bendm has joined #lws 14:31:46 elf-pavlik has joined #lws 14:31:47 jeremycaine: parallel with AWS: service > instance > bucket 14:32:15 ... are we aiming to align our terminology to something like that? 14:32:36 s/service/tenant > service 14:32:49 laurens: I think we are moving closer to that 14:32:55 ... bucket would be workspace 14:33:01 ... tenant would be storage 14:33:03 jeremycaine has joined #lws 14:33:08 ... I'm not sure what "service" would be 14:34:09 termontwouter: in the example we have a SPARQL service, we could have more of those 14:34:39 acoburn: we should clarify the concepts first; then discuss how we express them 14:34:55 laurens: as in: "a workspace could be just another service" 14:35:22 bendm: I don't think a storage could have no workspace, that justifies treating it differently 14:36:21 laurens: what we call a storage is a collection of services, that complies with our spec; think of it more as an openid description 14:37:28 ... most of the confusion comes from the word "storage", which assumes that everything under it follows the CRUD operations 14:38:06 ack next 14:38:07 gibsonf1: I agree; I assumed that storage was what we called "pod" but it seems that we are talking about the service serving the pod 14:38:08 gibsonf, you wanted to ask: are we conflating the idea of a Storage with the Service providing the storage (in terms of services supported by the overall service etc) 14:38:27 ... this makes it confusing 14:38:31 q+ to clarify server with diverse storage configurations 14:38:42 q+ 14:39:27 q? 14:39:31 ack next 14:39:44 laurens: the issue I see, in turning this into a general service description, is creating more room for interpretation 14:39:53 ack next 14:39:54 elf-pavlik, you wanted to clarify server with diverse storage configurations 14:40:09 elf-pavlik: I understood gibsonf1as suggesting we provide whole server description 14:40:20 q+ 14:40:22 ... I think one description per storage is simpler 14:40:53 q? 14:40:55 +q to preserve storage as it is 14:40:57 laurens: I would avoid the term "server", it adds complexity 14:41:16 jeremycaine: in cloud, we talk about "control plane" which has many "data planes" 14:41:25 ack next 14:41:30 scribe+ 14:41:46 pchampin: My understanding is that storage is close to the term "Pod" in Solid 14:42:02 ... I would avoid generalizing storage description into a service description 14:42:12 ... The description is storage centric. 14:42:29 scribe- 14:42:32 ack next 14:43:10 gibsonf1: having "LWS service with a URI" in the terminology, would not prevent you from having a more specific "pod" description 14:43:18 q+ 14:43:33 ... every storage could use these services or not 14:43:52 ... it would still make sense to have a global list of the services available with a given service provider 14:44:07 ack next 14:44:08 termontwouter, you wanted to preserve storage as it is 14:44:47 termontwouter: to gibsonf1's comment; in that case, you could have all storage desciptions point to the same resource 14:45:03 ack next 14:45:05 ... to laurens, I don't think that the notion of storage is strange 14:45:25 Hydra has something in lines of (REST) Entry Point 14:45:26 ... +1 to pchampin to be storage centric 14:45:58 q? 14:46:02 laurens: the more I think about it, the less I like the level of indirection introduced by workspaces 14:46:22 q+ 14:46:31 ... it makes sense to have a description resources associated to a storage; but that storage should have a singular container as an entry point 14:46:52 acoburn: so you propose that the storage URL is a solid container? like Solid? 14:46:56 laurens: yes 14:47:00 gibsonf1: +1 to that 14:47:12 acoburn: is everyone ok with that? 14:47:30 "LWS Storage" much preferred. Specificity in naming is a good thing. 14:47:44 ... the storage URI is a root container; every storage has exactly one root container? 14:47:54 "LWS Storage" in part because we know "Solid Storage" already exists 14:47:56 q+ 14:48:30 yes! 14:48:58 "Storage" is ambiguous from the start. That's not good. 14:49:12 q? 14:49:12 q? 14:49:16 ack next 14:49:17 laurens: I would not have the examples assume that there is a single-storage tenant 14:49:26 elf-pavlik: for me that's ok 14:49:43 ... the most confusing for me is "storage" vs "workspace" 14:49:44 q+ 14:50:20 q? 14:50:25 ... having different endpoints under the same NS may not be an issue if we removed slash semantics 14:50:28 ack next 14:50:29 "LWS-compliant Storage" ight be better 14:51:03 TallTed: "storage" in itself is ambiguous, e.g. "solid storage", we need a more specific name 14:51:16 ... "LWS-compliant" storage 14:51:57 termontwouter: it is a URI, the term "Storage" in the JSON-LD is scoped by the context 14:51:58 ack next 14:52:41 pchampin: the distinction between root and storage is benfitial, even that it would still allow solid practice but not make it mandatory 14:53:06 ... possibly just a purist view, but still have 1 to 1 storage to root container / workspace 14:53:11 TallTed: We have to think about humans as well as machines. The URIs for "Solid Storage" and "LWS Storage" will be different, but humans will typically be seeing "Storage" and "Storage" and not understand the collision. 14:53:29 acoburn: you couldhave storage and workspace at a different url, but there would be 1 to 1 14:53:55 laurens: just as we define access request service, we could define storage / root container service, don't care how we call it 14:54:11 termontwouter: but there would be requirement for just one service of that type 14:54:25 q? 14:54:26 acoburn: yes, similar to storage description 14:54:47 q+ 14:55:06 q- 14:55:33 acoburn: so we have Storage, Storage Description and Storage Workspace, all in 1-1 relation 14:55:40 q+ to ask what is storage 14:56:12 laurens: I would reword the definition of storage, to "a set of services discovered through a single Storage Description" 14:56:16 q+ 14:56:27 ack next 14:56:28 jeremycaine, you wanted to ask what is storage 14:56:44 jeremycaine: we still have not addressed TallTed's point about the term "storage" 14:56:58 ... would the name "LWS server" work? 14:56:59 q+ 14:57:06 laurens: it could be multi-tenant 14:57:23 s/it could/a server could 14:57:47 q+ to mention classes of products and requirement subject used in normative statements 14:57:50 ... multiple individual storages could be hosted in a single deployment 14:58:24 ack next 14:59:09 pchampin: let's call it full Linked Web Storage and in spec shorten it to Storage 14:59:25 +1 pchampin 14:59:32 ...: i didn't have all the services in mind, they are useful but not in scope of the spec 14:59:32 q? 14:59:39 ack next 15:00:00 gibsonf1: a note on the pod/storage; in our case we are modelling a storage as a container for a certain kind of thing 15:00:16 ... a single user may have thousands of storages 15:00:51 ... the idea of a Solid pod is a unit with a given controller 15:00:59 ... the storage is not the service, it is the thing being served 15:01:07 ack next 15:01:08 elf-pavlik, you wanted to mention classes of products and requirement subject used in normative statements 15:01:22 laurens: we also have use-cases where a user has several storages 15:02:05 q+ 15:02:12 ack next 15:02:50 "Set of services" because Create, Read, Update, Delete might be considered different services. 15:02:54 elf-pavlik: for the test suite, we need to determine if the subject of a normative statement is the storage, the storage description... 15:03:13 laurens: to pchampin, if the storage is not a *set of service* then what distinguishes it from the workspace? 15:03:30 pchampin: the workspace is a single container (node), the storage is everything under it (tree) 15:04:06 TallTed: it is a set of services if you consider each operation as a different service -- I could provide only a subset of these operations/services 15:04:21 jeremycaine: I would say those are operations; the services are things like access control... 15:05:31 acoburn: can we improve the definition. 15:05:35 q? 15:06:13 q+ to ask have we defined service 15:06:44 [wordsmithing the definition] 15:08:16 ack next 15:08:16 s/the definition/the definition of storage 15:08:18 jeremycaine, you wanted to ask have we defined service 15:08:57 ack next 15:09:10 laurens: I would like to reach the definition of "resource" 15:09:21 q+ to ask that we use the actual HTTP definition 15:09:27 ... do we restrict it to "LWS resource", or keep a generic "resource" 15:09:50 ... I would define a LWS Resource as either a container or a data resource. 15:10:06 ... I agree that there might be other aspects (user-managed / server-managed). 15:10:10 q+ 15:11:00 elf-pavlik has joined #lws 15:11:08 ... I see use-cases for more subtle definitions, but in the interest of time and simplicity, I would stay away from them. 15:11:52 acoburn: is this definition different from the definition HTTP? 15:12:40 gibsonf1: the definition in the HTTP RFC is actually different from what we have in the definition right now. We should not define what the resource *is*, only how one interacts with it. 15:12:43 q- 15:13:23 ack next 15:13:24 gibsonf, you wanted to ask that we use the actual HTTP definition 15:13:34 ... the current definition conflates resource and URI, while many URIs may identify the same resource 15:13:43 q+ 15:14:03 ack next 15:14:08 ... LWS should not tell you how to manage resources. 15:15:14 laurens: what I want to prevent is that a representation of a resource / modification of a resource operate over mixed content (user-defined vs server-managed) 15:15:33 ... we can say that an LWS resource is an HTTP resource, but with additional restrictions 15:15:35 q+ 15:16:18 gibsonf1: for us, the problem you describe does not exist. We are data-first, so each piece of data has its own permissions. We would not split the data in different resources based on user- vs. server-managed. 15:16:41 q+ 15:16:43 ack next 15:17:23 termontwouter: I agree with gibsonf1 that the current definition looks a bit like a 1-to-1 mapping between resource and URI, which is not what it should be 15:17:37 jeremycaine: we could start by defining an LWS resource as an HTTP resource 15:18:39 [wordsmithing the definition of resource] 15:18:45 q? 15:19:08 +1 on definition 15:20:13 q- 15:20:52 acoburn: the service description is available at a given URI, and has a specific representation. 15:20:54 q+ to change resource to representation 15:22:04 gibsonf1: the definition should say "a representation" not "a resource" 15:22:26 q+ 15:22:47 q+ 15:22:57 ack next 15:22:58 gibsonf, you wanted to change resource to representation 15:23:03 pchampin: I disagree; it is not a LWS a resource, but it is a resource in the HTTP/Webarch sense 15:23:29 gibsonf1: we should not define the nature of resources, we should define interactions with those resources 15:23:48 acoburn: this is a resource that should respond to GET request 15:24:37 q? 15:24:58 ack next 15:25:34 elf-pavlik: my understanding is that HTTP does not define whether 2 resources are the same or not; WebArch allows several URIs to identify the same resource 15:25:53 ... there is no assumption when we say "resource" that we are making it distinct from any other resource 15:25:55 ack next 15:27:47 pchampin: "storage description" is not the nature of the resource, it is its role 15:28:08 gibsonf1: we are specifying a very specific kind of representation, that what we should say 15:28:41 laurens: yes, the representation format is the spec part; but what we are specifying is the representation of *a resource* 15:29:19 acoburn: let's move on to "storage workspace" 15:29:54 q? 15:30:55 termontwouter: following pchampin's suggestion, the workspace is singular when the storage is a a whole 15:31:27 pchampin: then the term "root" might actually be more appropriate; "workSPACE", as laurens's question earlier shown, may give the impression of a "whole" 15:31:44 q+ 15:32:44 ack next 15:33:12 ryey: does a storage root imply that the storage is a tree? 15:33:32 acoburn: in many places in the space, we talk about a hierarchical tree, so yes 15:33:37 q+ 15:34:06 ryey: does that involve some changes in the description of multiple-containment? 15:34:23 acoburn: we are not there yet, but I don't think we are going to specify multiple containment 15:35:25 [wordsmithing the definition of "Storage Root"] 15:36:36 q+ to replace containers by collections with multiple hierarchies 15:36:54 acoburn: let's move on to "Container" 15:36:57 q+ 15:37:33 ack next 15:37:49 elf-pavlik has joined #lws 15:37:58 laurens: we have had multiple discussions about whether a container can also be a data resource. I would like to solve this. 15:38:19 ... It adds complexity over operations that govern containers. It would make it simpler to split the two. 15:38:47 q+ to talk about the difficulties of composite resources 15:38:52 ... There might be implementations that want to allow a resource to be both; we should maybe provide some leeway for that. 15:38:55 ack next 15:38:56 termontwouter, you wanted to replace containers by collections with multiple hierarchies 15:39:06 ... But operations on data resources and containers are very close, so I'm a bit worried. 15:39:35 termontwouter: it is difficult if you start by considering them as separate. 15:39:42 q+ 15:40:09 jeremycaine: what is special about data resources vs. containers? 15:40:27 acoburn: the difference is that a data resource is entirely controlled by a client. 15:40:58 ... complexity starts when you allow a container to have some part managed by the client, and some part managed by the server 15:41:13 q? 15:41:28 termontwouter: it is not completely true; the server adds some metadata that a client can modified 15:41:44 ack next 15:41:48 q+ 15:42:26 gibsonf1: about this implementation issue of managing the data: whenever you have a file on a server, some server-managed metadata are associated to the file 15:42:38 ... so this mix occurs all the time 15:43:02 ... this separation would make a big change from Solid 15:43:37 ack next 15:43:37 q+ to consider what gets surfaced to UX 15:43:38 acoburn, you wanted to talk about the difficulties of composite resources 15:43:45 ... I don't see this as a simplification, but as making things more complex 15:44:01 acoburn: I have worked on a number of Solid / LPDish implementation. 15:44:13 q+ 15:44:19 ... composite resources come with a lot of problems. E.g. ETAGs (what changes are you measuring?) 15:44:38 q+ 15:45:06 ... For very large containers, we want a paging mechanism; where would the additional properties go? first page? every page? 15:45:54 ... Currently, in Solid or Fedora, you have a place where you can put additional metadat. 15:46:10 ... You can include them in the main description using preferred headers. 15:46:13 q? 15:46:33 gibsonf1: acoburn, I appreciate what you are saying. 15:47:24 ... we have in production a system where each triple has permissions, everyone sees different triples based on their permissions 15:47:41 q? 15:47:44 ack next 15:48:02 ... if you make this distinction between containers and data resources, you are preventing us from being compliant 15:49:20 ack next 15:49:46 pchampin: let's be careful with "user-managed" vs "server-managed"; things are more nuanced 15:49:51 It would be impossible to get data resource json about a container if you seperate these this way 15:50:16 termontwouter: acoburn's arguments are about it is difficult to implement, but gibsonf1 reports that they have an implementation 15:51:34 acoburn: to respond to that; for me the challenge is to reuse the URL of the container itself to make user-defined changes 15:52:30 ... there are other ways to manage user-managed data in the container representation 15:52:39 q+ to suggest a middleground 15:52:51 q? 15:52:52 ack elf-pavlik 15:52:53 elf-pavlik, you wanted to consider what gets surfaced to UX 15:53:10 elf-pavlik: mixing containment triples with user-managed triples has a long history of being painful 15:53:34 ... it boils down to priority of constituents: on whom we put the burden 15:53:47 acoburn has joined #lws 15:53:53 q? 15:54:09 q+ to summarize https://github.com/w3c/lws-protocol/issues/116 15:54:28 ... there should be a way for the user to define a collection around a container 15:54:36 ack gibsonf 15:54:36 acoburn has joined #lws 15:54:42 q? 15:55:08 gibsonf1: the key issue is: if I do a GET on a container, I want the containment triples + additional data 15:55:25 ... it is game over for us here, it is a big deal 15:56:05 ... I understand what acoburn's point about how implementations would solve it; some implementations might not support it, but those who do must be able to do it 15:56:22 ack next 15:56:24 ack laurens 15:56:31 What we need to do is restrict only as much as necessary, permitting other things to "extend" or otherwise work differently yet similarly. 15:56:33 I look forward to tomorrow's presentation of the grand unification proposal that gets developed during conversation over dinner & drinks tonight. :-) 15:56:55 laurens: to propose a way forward, we could continue with the spec as it is (operations on data resource and on containers) 15:57:41 ack next 15:57:42 jeswr has joined #lws 15:57:43 pchampin, you wanted to suggest a middleground 15:57:43 ... implementations could introduce additional operations on containers (we need to check how that's possible) 15:57:49 q+ 15:57:57 ack next 15:57:58 termontwouter, you wanted to summarize https://github.com/w3c/lws-protocol/issues/116 15:58:08 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html TallTed 15:58:14 ack next 15:58:42 ... some servers could accept "data resource operations" on a containers, but I would refrain from specifying it 15:59:08 jeswr: gibsonf1 what is preventing you from doing what you want with a metadata resource? 15:59:28 gibsonf1: if I do a GET on a container, currently I can't get the additional data 15:59:54 laurens: you can! Nothing prevents you from including that data in the container's JSON-LD 16:00:12 ... the set of attributes at the resource level is extensible 16:01:11 pchampin: take it the other way around, if you get json ld the way your app is expecting.... it depends how you look at it 16:01:29 q? 16:01:34 ... what laurens is describing, you can look at it as using your original description plus lws container desc 16:01:50 gb: i don't want two requests 16:02:00 pchampin: this is possible i don't see what would prevent it 16:02:24 dinner location: Granary Square Brasserie 16:02:27 rrsagent, make minutes 16:02:28 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html acoburn 16:02:35 elf-pavlik has joined #lws 16:02:47 RRSAgent, make minutes 16:02:48 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html pchampin 16:03:59 previous meeting: https://www.w3.org/2026/04/20-lws-minutes.html 16:03:59 next meeting: https://www.w3.org/2026/04/28-lws-minutes.html 16:06:27 chair: laurens 16:06:44 Zakim, end meeting 16:06:44 As of this point the attendees have been eBremer, TallTed, laurens, pchampin, bendm, gibsonf, jeswr, AZ, uvdsl, acoburn, ryey, kaefer, ericP, RazaN, termontwouter, Luke, 16:06:44 ... elf-pavlik, jeremycaine, ! 16:06:44 RRSAgent, please draft minutes 16:06:45 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html Zakim 16:06:51 I am happy to have been of service, TallTed; please remember to excuse RRSAgent. Goodbye 16:06:51 Zakim has left #lws 16:06:51 RRSAgent, bye 16:06:51 I see no action items 16:15:04 RRSAgent has joined #lws 16:15:04 logging to https://www.w3.org/2026/04/27-lws-irc 16:17:13 meeting: LWS WG F2F Meeting 2026 (Day 1) 16:17:14 present- ! 16:17:16 present- gibsonf1 16:18:58 I have made the request to generate https://www.w3.org/2026/04/27-lws-minutes.html TallTed 16:19:30 RRSAgent, bye 16:20:23 RRSAgent, bye 16:20:23 I see no action items