Summary of activity from 12/06/2021 to 20/08/2021
- ACP Basic Specification and Implementation
- Implement initial Attribute-based Access Control framework (ACP) ideas developed by Solid Auth
- Test suites
The situation on the ground is the following:
-
WAC: Carven Capadisli has reworked the WAC spec 0.5.0 in wiki format to a cleanly html formatted Web Access Control Spec.
-
ACP: The PR for an ACP specification is progressing and will be reviewed next week.
-
WAC+: are proposals for simple WAC extensions. I am defending the position that WAC should be extended in a backward-compatible way, allowing us to satisfy our use cases.
We worked on building up evaluations of ACP, WAC and WAC+, published in the evaluations folder. The exercise of working through use cases very carefully, by showing exactly what the communication between the client and the server have to be for the system to work, has been I believe tremendously helpful. That work has been done carefully for these three two use-cases:
- Effective Access Control Resource Discovery, reveals a big efficiency problem with WAC. Four WAC+ solutions were proposed, of which the most elegant is to define a new Link relation.
- Access Inheritance Use Cases, reveal a problem both with WAC and ACP in that both have to copy access control rules.
- ACP has to copy each rule to the resources specific ACR, creating potential duplication problems during edits
- WAC can have a resource containing default rules for a container hierarchy, but if that is overridden locally, then all rules have to be copied
- WAC+:imports proposes to use an imports relation to solve the problem of duplication of rules
As a comparison, there is no detailed flow worked out (yet) for the Resource Access Use Case. It is assumed that data is just available, but the question as to how the client can find the data is not made clear.
The WAC+ exercise has not just led to formulation of extensions to WAC, but also simplifications such as the proposal to deprecate acl:Control. That simplification could unblock several other problems, allowing, for example, publicly accessible rules for the many organizations that require transparency.
The meetings were taken over by a discussion on UMA type protocols for the first month
Leading to two stories on Consent Workflow Use Cases that need to be worked out in detail.
- 2021-07-07
- 2021-07-21
- 2021-07-28
- missing for holidays
- 2021-08-18
The current implementation of Solid-Control has support for :imports and Trig Serialisation of Access Control Rules.
Support of access to groups is just being worked on, and these should start involving group access based on descriptions such as friend-of-a-friend social network relations. That should be in by the end of the month.
Most of the commits since the last milestone have been Test Suite based. See Reactive Solid Commit log. The next ones will add new functionality.
- The W3C WebID repository has woken up a bit with three issues added.
- I have been following the work on the Category of Polynomials. David Spivak has been giving a course on that at Berkeley. Poly covers many of the concepts we are using in building Reative-Solid. See twitter thread.
- They cover coalgebras used to model OO programming, systems and modal logic.
- They cover Lenses, which in functional programming are used to focus in on a part of a data structure and make changes there. There was a proposal in July for using those [to build web servers](Lenses. That did not feel dynamic enough to me at the time, but that was before I had looked at the work on Poly.
- There seems to be a strong relation between Actors and Poly as it is a mathematics of dynamical systems that can change.
- Eric Neumann's Comonads and the Web, are relevant given the relation of Poly to comonoids and so comonads.