- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Wed, 15 Apr 2026 15:17:24 +0200
- To: public-solid <public-solid@w3.org>
- Message-ID: <CAKaEYhKGfWuAAyPwJbRL=Kuk3hiyNgnfcsmLu7hFjp6vA=daGA@mail.gmail.com>
Hi all, I've published a draft extending Web Access Control with acl:condition, using fail-closed evaluation semantics: https://webacl.org/secure-access-conditions/ Source: https://github.com/webacl/secure-access-conditions This builds on PR #133 [1] and PR #134 [2], reusing the same acl:condition syntax and condition types (acl:IssuerCondition, acl:ClientCondition). The key difference is in evaluation semantics: if a server encounters a condition it does not support, the authorization is treated as non-applicable. This ensures that access constraints are never silently ignored and avoids fail-open behaviour in mixed-capability deployments. This is a breaking change, hence versioned as WAC 2.0. Servers that do not understand a condition must reject it, rather than evaluating the authorization as if the condition were absent. Two implementations exist today: - JavaScriptSolidServer (JSS) - VisionClaw (via JSS) [3] Feedback is very welcome, particularly from implementers. I’m also looking for co-editors and reviewers interested in shaping this work. Melvin Carvalho [1] https://github.com/solid/web-access-control-spec/pull/133 [2] https://github.com/solid/web-access-control-spec/pull/134 [3] https://github.com/DreamLab-AI/VisionClaw
Received on Wednesday, 15 April 2026 13:17:41 UTC