Re: Web Access Control - Authorization condition with capability detection from Melvin Carvalho on 2026-03-24 (public-solid@w3.org from March 2026)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 24 Mar 2026 17:50:45 +0100
To: Sarven Capadisli <info@csarven.ca>
Cc: public-solid@w3.org
Message-ID: <CAKaEYh+Xz=bSbJ1TAsRhfh9YsM8PX1x1XeLASY6hL5ZO4TeNJA@mail.gmail.com>

út 24. 3. 2026 v 13:29 odesílatel Sarven Capadisli <info@csarven.ca> napsal:

> Ahoy hoy!
>
> After much deliberation and popular demand, there is now a PR:
>
> https://github.com/solid/web-access-control-spec/pull/134
>
> proposing capability detection for extensible authorisation conditions
> in WAC. Servers can signal supported condition types, and clients can
> use them accordingly.
>
> As anticipated in
> https://solidproject.org/TR/wac#authorization-extensions , this version
> adds initial condition types to the core spec, issuer and client
> identification. The design allows future types, e.g. time based
> conditions or ODRL policies.
>
> Changes are backwards compatible. Servers without condition support are
> unaffected. Adoption can be incremental.
>
> That said, we want to do this properly. This is also a call for
> implementers or a call for commitment to implement so that we can align
> the specification with real and open implementation experience before it
> advances further. Please chime in!
>
> For those interested in technical writing, review of the PR would be
> much appreciated.
>
> As usual, myself and others are available to support the community in
> understanding the proposed changes. Feel free to reach out in the chats,
> meetings, or catch me at in-person events where I am happy to convene an
> impromptu WAC-support Group.
>

NACK. As a WAC implementer, I will not implement this proposal as part of
WAC 1.1.

The current design introduces a silent authorization bypass on WAC 1.0
servers that do not understand the new condition types. That is a security
regression and violates the principle of fail-closed authorization.

This is not appropriate for a minor version update. It changes the
effective security model of WAC in a way that existing deployments cannot
safely interpret.

If pursued, this must be defined as a separate extension specification with
explicit opt-in and independent implementation experience.


>
> -Sarven
> https://csarven.ca/#i
>

Received on Tuesday, 24 March 2026 16:51:04 UTC