[wg/lws] Proposed charter: Linked Web Storage Working Group (ex Solid) #377
Comments
|
Personal question during drafting i18n HR, do ones listed in Dependencies are really 'Dependency' or extensions to Solid Protool?? |
|
I believe it is intended along the lines of required orthogonal modules ( https://www.w3.org/TR/spec-variability/#subdivision-module ) or components rather than extensions ( https://www.w3.org/TR/spec-variability/#extensibility ). |
|
No comment nor request from i18n |
|
Is the PING interested in reviewing this charter? @sandandsnow |
|
APA will review this charter at next week's meeting, sorry for missing this one. |
|
no comment from APA |
|
(PING has comments, coming soon) |
|
(no comments from PING) 2023-09-15: PING comments were simply to align the charter with the charter-template, which was done. |
|
2 comments: [[ should read Also add the names of the proposed chairs. |
plehegar
changed the title
|
The Solid specification contains a LOT of normative references to document that have been developed in Community Groups. This MAY become an issue when the document attempts to move to Candidate Recommendation and beyond. See also considerations for normative references (which will need to be placed under a better process to be revised). |
|
The Solid specification contains references to Identity and Authentication. The spec will need to better integration with the rest of the identity/authentication efforts at W3C. |
|
Sorry for the delay in getting the TAG review of the charter out. The following review represents consensus of the TAG. Solid WG Charter reviewScopeThe focus of the charter (covered by the mission, and the name of the WG in particular) should be around a problem space, and not a particular product or existing solution. While having well used and incubated existing work as inputs to a charter is of course valuable and necessary, in this case it sounds like the outcome is a foregone conclusion. This is particularly important as the motivation in the charter touches on many very broad areas - identity, data access, privacy, decentralised trust - all of which are active research areas, and many of which are covered by recent or ongoing work in W3C already. Having a well-defined and tightly bound scope for a charter is good practice - but applied to the problem space, not the solution space. At this stage, we should see a well-scoped problem space, and a range of input documents; but here we see an extremely broad problem space, and a single proposed solution. Multi-stakeholder involvementWe're concerned that there's an underlying idea that a W3C WG is a place to rubber stamp something that has already been decided, rather than a venue to bring together multiple points of view to reach consensus on how to solve a common problem. It may well be that the Solid Protocol is the consensus solution, but we can't know that until WG participants have had a chance to examine their options. The current framing may deter people in the same problem space (personal data stores, and/or decentralised trust architectures) who are working on solutions other than Solid from participating in the first place, and the community would lose out by excluding their valuable perspectives. This concern is exacerbated by the language around backwards compatibility with existing implementations - we'd be happy to be told this is not the case, but we sense a reluctance to deviate from what has already been specified. DeliverablesThe introduction mentions the Solid Protocol has been incubated and implemented since 2018, but the Security and Privacy Considerations in the spec are short and have no detail specific to the protocol. In particular, we see no mention of data in the personal storage being encrypted. This makes us question the maturity of the work, and compounds the concerns about multi-stakeholder engagement. The out of scope section mentions identity mechanisms, but the deliverables mentions WebID and Solid-OpenID; is this in contradiction? The five "dependencies" are actually deliverables - none are standard today and the charter suggests they group is planning to make them recommendations. Yet they are not listed on the timeline. The timescale seems ambitious for this amount of work. Part of our focus is to help the architecture of the web stay cohesive, and encourage new specs/features to work with or build on existing parts of the web platform. In that light, we'd like more information on how some of the deliverables relate to existing or in-progress work, for instance:
Are any of the specifications intended as things that can or should be integrated into browsers? How do they fit into the wider web platform ecosystem? We're concerned about a silo of Solid standards which sit apart from everything else. We encourage everything that comes for TAG review to include an explainer. Your explainer is a living document that describes the current state of your proposed web platform feature, or collection of features. In the early phases of design, this may be as simple as a collection of goals and a sketch of one possible solution. As your work progresses, the explainer can help facilitate multi-stakeholder discussion and consensus-building. The TAG would really value an explainer for each of the various pieces proposed here, with user stories and details about the relationship to existing work and considered alternatives. ConclusionWe encourage you to reframe your charter proposal to anticipate more multi-stakeholder involvement from the outset, for example by taking the documents from the Solid CG as inputs, alongside other relevant work in the area, and working on a solution that solves the problem you have identified in a more holistic way. One potential way forward might be to re-frame the working group as a Personal Data Stores working group, have the Solid specifications as some of several inputs to that group, ensure a wide community of implementers joins that group (wider than than the existing Solid community), and seek to integrate into or interoperate with existing, mature web technologies where possible. |
|
Dear W3C TAG, Thank you for your extensive review on the Solid Working Group Charter. We look forward to working together with you to ensure that the Working Group can start early 2024, and are available for any conversations that will facilitate this. As you know, the Solid project is close to my heart, because it represents what I consider an important part of the future direction of the Web. As much as I appreciate your review, I do see two kinds of differences we’ll need to resolve together. One part relates to the W3C process, and the other to technical aspects of Solid. Based on your guidance, we will refine the charter such that the TAG can review a version that clarifies any ambiguity that there may be. On the W3C Process
The W3C Process Document defines problem space exploration as the role of a W3C Interest Group. A working group should take an existing and fairly mature technology and refine it very precisely until it has aligned specification, tests, and implementations.
Rest assured that there is no such conclusion: “Solid” is the name for a technology in progress, passed as input for the WG to consider and refine. This is how working groups have always worked: recent WGs such as DID and VC formed similarly from incubated works and implementations in a CG and then considered, refined (or rejected), and formalized those inputs.
W3C is not a research organization. It refines and standardizes existing practice that works. Running code carries a lot of weight: while some W3C working groups struggle to get three independent implementations, the draft Solid protocol has around 6 already. This strongly indicates our need for standardization, rather than a rubber stamp.
The process of getting from a broad problem space to a specific solution space is incubation. In W3C that is done by CGs and IGs, not WGs.
As already indicated above, much more work is needed than just a rubber stamp. Only the main direction has been decided – through years of incubation in a W3C Community Group and with many stakeholders. What hasn’t been decided is the exact format of the solution, and that’s what we aim to do in the Working Group, with those stakeholders. On the technical aspects of Solid
Existing documents are inputs, and they are indeed not ready for a rubber stamp, nor do we want them to be at this stage. Refining and finalizing the Security and Privacy - and Internationalization and Accessibility - sections is something the WG will be well placed to do.
The Solid Protocol is a client-server protocol, like HTTP, like CalDav. The role of the protocol spec is to define what goes over the wire, how it is constrained, and what it means. The role of the spec is not to constrain or second guess implementations. Because it uses HTTPS, the network traffic is always encrypted. If implementations want to use encrypted hard drives, encrypted filesystems, or encrypted databases to protect data at rest, that is their prerogative. The spec does not and should not dictate those implementation details, though it can and should encourage security and privacy steps to be taken in implementations, such as encryption at rest.
There is no contradiction: identity mechanisms are out of scope, so the OpenID/WebID mechanism allows for pluggable IDPs such that Solid can be IDP-agnostic.
This concern is crucial to us as well; let’s work together on an adequate timeline.
LDN is one notification channel that can be used with Solid. Other channels can be added in the future.
Web Notifications is for delivering user notifications in a browser, not (AFAIK) for sending notifications from a server to either another server or to a client.
They are compatible. SolidOIDC allows for pluggable IDPs, it does not specify what happens beyond that, so login may or may not use FEdCM.
CORS is limited to scenarios 1) across origins 2) in browsers 3) for the current user. ACP defines fine-grained access control between servers, regardless of origin, and any kind of client or actor.
WAC is an input to the WG and by no means a predetermined outcome. Nonetheless, W3C protocols have historically tended to be above IETF standards in the stack, and so if something is built ON http, then there is an argument it belongs at W3C, as we see with many existing W3C standards.
Solid is a profile spec of many existing parts: HTTP is pretty generic, OIDC is a huge industry norm. ACP is new, but WAC has been around for a long time and is not Solid-specific. Great effort has gone into reusing existing standards and technologies specifically so that Solid is not a revolution of all existing web standards (unlike blockchain), but rather built on top of them. Explainer
Absolutely, this is an important point and we have already started work on a comprehensive explainer. We’d be glad to walk you through it once we are ready, please stay tuned. Meanwhile, we’ll work with the TAG to ensure that the final version of the charter will be the one that gets the Working Group started soon, as many W3C Members are eager to start standardization work on Solid. We’re open to any further questions, and look forward to the forthcoming conversations. |
Solid Charter Review 2(Note an earlier response by the TAG in fact was not a consensus of the TAG. Here is the minority report.) The TAG thanks the Solid Community Group and the rest of the Solid community for its work over many years to refine this important technology, and for bringing it further along its track in W3C in the proposed working group. The TAG recognizes an exciting technology which is user-empowering in a way that most of what we see is not. To be user-centric is a core value of the Web, and a core value of the TAG. In the Advisory Committee review of this charter, there were opinions expressed by some that this WG should, instead of taking the specification as incubated by the Solid CG, should start a general review of the whole field of personal data stores and related products. The TAG points out that this would be the work of an Interest Group, not a Working Group. It is very important that specifications incubated in community groups (as well as elsewhere) have a clear path to WG. The TAG notes that the Solid Protocol has rough consensus and running code, and respects that. The TAG notes that the Candidate Recommendation status of a Rec-track document was introduced as a “call for implementations” when there was agreement on the specification but insufficient implementations. Noting that there are already more interoperable implementations of the Solid Protocol than many W3C WGs try to achieve to exit CR, it would be reasonable for the spec to skip the CR stage. The TAG notes that while most of the dependencies are on Rec track or equivalent, some are not yet. The TAG is happy to work with the Solid WG to help prioritize the work involved, and also to negotiate with other groups to resolve these issues. The TAG notes that while SolidOIDC is currently the form of authentication commonly used, that in earlier days WebId-TLS was in fact used, and there have been suggestions that other systems of authorization, such as those based on HTTP Signatures, have been suggested. The TAG encourages the wider community to help triage and develop new solutions in the space. The TAG recognizes that systems build using the Solid Protocol are fundamentally more user-empowering, and so recommends that as the platform becomes more robust with the work on th Solid WG, that future designs of systems which involve storing user data should all be compatible with the Solid Protocol, just as we encourage designers to use URIs and HTTP, rather than re-inventing them. The TAG notes that the Architecture of the World Wide Web Volume 1 [AWWW] document which it produced in 2004 is out of date, and undertakes updating it to worlds of Progressive Web Apps and Solid Apps. This does not represent the consensus of the TAG. |
As promised, an initial TAG-style Explainer for the Solid Protocol. There will be others, I am sure. |
|
Plan is to circulate a new charter around to see if we get a common ground. See also charter changes. |
pchampin
added
tag-tracker
More specifically: a snapshot of the new charter is now available here: https://www.w3.org/2024/05/proposed-linked-web-storage-wg-charter.html. Anticipating a new submission of this charter to the AC (depending, of course, on the decision of the on-going W3C Council), I'd like to request a new TAG review. |
pchampin
changed the title
pchampin
changed the title
|
The Security Review follows: Security considerations are appropriate when considering the scope of the protocol. A few improvements are suggested, as follows. At the Charter level, I would suggest adding to the Success Criteria the creation of a Threat Model (at the LWS ecosystem level) and a structured analysis according to RFC 3552. At the level of Deliverables, particularly on the Solid Protocol is the Security Section. Considering that the specification defines a
Based on HTTP, it refers to the related security considerations of HTTP. Threat Modeling with STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) the considerations:
Given the Scope of the specification, it makes sense that consideration covers Tampering and Information Disclosure, and other Threats are delegated, such as:
Therefore, it might be useful to explicitly state that these aspects are delegated to the implementor and analyzed in a Threat Model. |
|
To make it clear: we're no longer pursuing the original proposed charter and expecting to send a new charter. |
By "at the LWS ecosystem level", do you mean that the Threat Model should have a broader scope than "only" the LWS Protocol? That would make sense to me, but then do you envision this as a separate document? A Note or a Rec? Eitherway, it should not only be mentioned in the Success Criteria section, but also in the Deliverables section. Is is what you meant? Just checking before proposing a PR. |
Yes, I would like to say a Note. Thank you for the clarification |
|
Apparently, TAG is fine with us moving forward. (via @ylafon) |
plehegar
moved this from Chartering
to Parking Lot
in Strategy Team's Incubation Pipeline (Funnel)
github-project-automation
bot
moved this from Chartering
to Incubation
in Strategy Team's Incubation Pipeline
and others
New charter proposal, reviewers please take note.
Charter Review
Charter: https://solid.github.io/solid-wg-charter/charter/
What kind of charter is this? Check the relevant box / remove irrelevant branches.
Horizontal Reviews:
Communities suggested for outreach:
Known or potential areas of concern:
Where would charter proponents like to see issues raised? (this strategy funnel issue, a different github repo, email, ...)
Anything else we should think about as we review?
The text was updated successfully, but these errors were encountered: