Re: [Solid26: Implementation Guide] On Solid26 (WAC|ACP) from Erich Bremer on 2026-04-28 (public-solid@w3.org from April 2026)

From: Erich Bremer <erich.bremer@stonybrook.edu>
Date: Tue, 28 Apr 2026 23:49:15 +0100
To: Alain Bourgeois <alain.bourgeois10@gmail.com>
Cc: elf Pavlik <elf-pavlik@hackers4peace.net>, public-solid <public-solid@w3.org>
Message-ID: <CAGR3=-83Eh-uYA2rJjTH209EObBoW8dDoN=A5gzrJ7=JK1tbKg@mail.gmail.com>

Dear all,

I missed the data-collection window and have been catching up through the
meeting minutes, the mailing-list thread, and PR #783.

The survey measured current Solid implementers - people who cleared the
access-control bar and built on what WAC or ACP could express.  It tells us
about the population who already adopted Solid.  It's really not
surprising. WAC is simple and represents the path of least resistance.  But
the survey tells us nothing about the people who looked at Solid, found
neither language adequate for their use case, and went elsewhere (saying
nothing). It also tells us nothing about the population who have never
heard of Solid at all but whose data-control needs sit squarely within
Solid's stated mission.

For the record, I've never been employed by Inrupt or ODI.  I work in
biomedical informatics at Stony Brook University within the Stony Brook
University Hospital complex.

Patient-held medical data with patient-driven access control is, to me, the
canonical Solid scenario - patients granting access to specific clinicians,
denying access to others (an explicit deny, not just absence of grant),
gating by application, allowing access to "any licensed practitioner in
good standing" via verifiable credentials, time-bounding access for an
episode of care. IRB-controlled research data has the same shape: access
gated by a valid IRB-approval credential, scoped to a protocol, bounded by
the approval window.

WAC, as currently shipped, cannot express these patterns adequately. ACP
can, but its own gaps - no Security or Privacy Considerations text,
near-zero recent maintenance - make it difficult to put in front of a
privacy officer or an IRB. The survey reflects the population that cleared
the bar with the tools available; it does not reflect the populations the
project would, in principle, serve. That seems reason enough to reconsider
whether "recommend WAC, mention ACP" is the right framing.

Best,
Erich Bremer
Director for Applied Informatics, Department of Biomedical Informatics
Stony Brook University

Received on Tuesday, 28 April 2026 22:49:56 UTC