solid26: draft WAC/ACP wording for CG discussion

[jeswr]

A preview link can be found here.

Purpose

Action item from the 2026-04-22 CG call: draft a neutral wording change for the WAC/ACP framing in solid26. It is not a proposal for merge on review — it is text to amend in-place until the CG is ready to take a position.

Raised as a separate PR so the access-control wording can be worked on without blocking the rest of solid26 (#776).

Seeking consensus

@elf-pavlik, @uvdsl, @thhck — as CG chairs, how would you like to proceed with getting group consensus on this text? @uvdsl, you're also a co-editor of solid26 — are you ok with this approach wearing both hats?

My suggestion: a 👍 / 👎 reaction vote on this PR, open until Wednesday 2026-04-29, with line-level edit suggestions welcome in the meantime. Happy to follow a different process if you prefer.

Discussion context

• CG call 2026-04-15: meeting notes
• CG call 2026-04-22: meeting notes (action item at the end: draft initial text)
• Main solid26 PR: feat: initialise Solid26 implementors guide #776

[elf-pavlik]

I don't see anything controversial here, could live with it.

[csarven]

Once again, this is not an "action" of the CG in the sense that there was no agreement or consensus within the formal meeting about the proposed changes here. Anything expressed herein is informal, if not subjective. It is not carrying out the "actions" of the CG.

That said, there are several issues in the language and tone of what's being expressed here, in addition to logical fallacies. I will update this list as we go towards a public publication.

• It undermines WAC and upsells ACP while leaving out key nuances.

• It does not adequately or appropriately reflect on the data: https://github.com/w3c-cg/solid/blob/main/implementations/wac-acp.2026-04-01.csv .

• It does not capture the CG consensus to recommend WAC: https://github.com/solid/specification/blob/main/meetings/2026-04-01.md#wac--acp . Editors are expected to carry out CG consensus.

• The whole "monotonic" and "non-monotonic" semantics is largely irrelevant to implementers. Folks into theory, mathematics, or purity of some sort may find the labelling interesting, but the property of monotonicity, or lack thereof, is not an actual property of the specifications (such as conformance or testability), nor does it provide any meaningful or practical use for implementers. This information seems to have been added here because of some broad labelling / buzzwording being thrown around recently.

• It does not incorporate implementers' feedback, especially from those who are on record stating that ACP is unnecessarily complex, particularly where WAC would be adequate.

• The UI for most applications facing end users is far more convoluted with ACP than with WAC, without any demonstrable improvement. So, no real grounds for most implementers to bother with ACP.

• ACP may be favourable for admins because of the complexity. This is not something the Solid project was ever optimising for.

• See https://www.w3.org/DesignIssues/CloudStorage for example to get some orientation on the kind of open web problems the project was aimed at. The implementers guide should be focusing on the primary objectives, not the edges that are of interest to private orgs.

• The ACP specification has not been maintained for four years. ACP was abandoned. No tests. It doesn't even have a security and privacy consideration section. No significant dialogue in the community. Surely the very first and only release of the specification was so flawless in 0.x form that it didn't need an update?

• The WAC specification is actively developed. The conditions feature introduced in https://solid.github.io/web-access-control-spec/ moves WAC forward based on community needs, incorporating implementation experience along the way. There has been open and public dialogue among editors, authors, implementers, and users since the very beginning.

• No meaningful or significant ACP implementation feedback was brought to the CG. The CG did not benefit in any shape or form. If ACP was adequately implemented and used, the public data doesn't reflect that. If ACP was used in closed / private circles, implementation experience was not shared with the CG; it was withheld.

• Besides the public data, including verifiable implementations, the CG cannot merely remain "neutral" on the technologies here. The implementers' guide was intended to provide some direction.

• The PR lists ACP features as if their existence alone justifies adoption, with no evidence those features address real implementer needs.

• WAC's characteristics are framed purely as absences ("does not express..."), casting a deliberate design choice as a deficit.

• "Suited to requirements that go beyond WAC" is unsubstantiated. No verified implementer case or production deployment is cited.

• "More expressive" conflates formal expressiveness with practical utility. The two are not the same.

• ACP's features are listed without any acknowledgement of the corresponding costs, e.g., complexity, maintenance history, or adoption evidence.

• The paragraph ordering, WAC as simpler baseline then ACP as more capable, implies a natural upgrade path without making that argument explicitly.

• The renewed push to preserve ACP's status is coming mainly from people who haven't participated in CG discussions in years, on behalf of a specification that hasn't been revised since its first draft in 2022, and been effectively abandoned ever since. That's worth weighing against the implementation data.

• The best we can do here is recommend WAC to implementers (as already agreed in the CG) and explain that ACP is optional, as it is still being researched in private circles.

[uvdsl]

as CG chairs, how would you like to proceed with getting group consensus on this text?

Following the usual process of this CG. By welcoming feedback as comments here or via the mailing list, giving members of the CG sufficient time to review and make their mind up about this, and finally put it on the agenda of a CG meeting where one can make the case that all concerns are addressed or further discussion on the status of the PR might happen.

This also means that finding this consensus might need time. And I expect this to take time given past discussion. I am currently in the process of reflecting on that.

Therefore, I suggest giving the CG sufficient time here. Setting a deadline for Wednesday feels rushed and I would object to that.

also a co-editor of solid26 — are you ok with this approach wearing both hats?

As co-editor, I have not preference on the timeline. I merely aim to implement the consensus of the group, making sure that past agreements are honored, and finding accurate wording to this end.

---

• As mentioned, I am currently reflecting on the whole discussion and process of this discussion.
• Please be patient for my detailed review of this PR.

[jeswr]

Thanks @uvdsl — fair point. Dropping the Wednesday deadline; happy to follow the usual CG process (mailing list / comments here / agenda item on a CG call when the discussion is ready for resolution).

Since the wording won't be at consensus by the wider Solid26 launch, I propose that we launch with a clear warning banner at the top of the document ("some parts of this document are in the final stages of consensus building") and placeholder text in place of this draft — i.e. only the access-control-language recommendation is held back. The placeholder PR is #785.

Take whatever time you need with the detailed review.

[jeswr]

Do not commit this suggestion until #784 is merged. Once the snapshot PR lands, the https://solidproject.org/TR/2026/wac-20260420 URL will resolve to the immutable TR snapshot and we can drop the Wayback link.

Suggested change

<p>WAC is the simpler and extensible access-control language, covering the cases used by most current Solid applications. Its policies are RDF with monotonic semantics &mdash; adding or removing triples preserves the truth of existing grants. Optional <code>acl:origin</code> matching is not intended as client identification [<cite><a class="bibref" href="#ref-wac">WAC</a></cite> § <a href="https://solidproject.org/TR/2024/wac-20240512#security-privacy-review">Security and Privacy Review</a>]. WAC 1.0 (pinned here) does not express deny rules, application-aware matching beyond Origin, or conditional grants. Application-aware matching and conditional grants land as <code>acl:condition</code> in <a href="https://web.archive.org/web/20260425225256/https://solid.github.io/web-access-control-spec/">WAC 1.1 ED</a>, with no implementations known at the time of publication.</p>

<p>WAC is the simpler and extensible access-control language, covering the cases used by most current Solid applications. Its policies are RDF with monotonic semantics &mdash; adding or removing triples preserves the truth of existing grants. Optional <code>acl:origin</code> matching is not intended as client identification [<cite><a class="bibref" href="#ref-wac">WAC</a></cite> § <a href="https://solidproject.org/TR/2024/wac-20240512#security-privacy-review">Security and Privacy Review</a>]. WAC 1.0 (pinned here) does not express deny rules, application-aware matching beyond Origin, or conditional grants. Application-aware matching and conditional grants land as <code>acl:condition</code> in <a href="https://solidproject.org/TR/2026/wac-20260420">WAC 1.1</a>, with no implementations known at the time of publication.</p>

[jeswr]

Thanks @csarven for the detailed review. Walking through it.

Process and the action this PR is carrying out

To clarify what this PR is: at the 2026-04-22 CG call the action I took was to propose neutral text for the WAC/ACP framing in solid26. That's what's drafted here, for discussion. To be clear, the action was not to write up finalised or agreed-upon text; there was not a finalised or agreed-upon statement from the call.

My own statements on the recommendation question have evolved, and I want to be transparent about that:

• At the 2026-04-01 call I said: "One way I was thinking was that we recommend in the implementors guide the use of one specification - based on the data collected." That was framed as one option, not a committed approach. Your response on the same minute was: "Maybe, give the group the opportunity to voice (dis-)comfort with this result and messaging?"
• The decision recorded at 2026-04-08 ("servers should comply to WAC, may also support ACP") was reached with the participants present at that call, which did not represent a substantive majority of the CG. The data-collection email of 2026-03-20 flagged that the data "will help determine which specifications are recommended for Solid26", but no formal vote was sent to the wider CG before the 2026-04-08 framing landed, and there was no advance signposting that the form of the recommendation would be exclusive (one language over another) rather than inclusive (both included with the data presented).
• Since 2026-04-08 there has been pushback on multiple fronts — both to me directly (as the person who opened the survey) and in public CG comments — that the data-collection process was flawed, that the data is not representative, and that the resulting conclusion does not reflect consensus across the community. I've reflected those views back here based on the feedback given to me. The 2026-04-15 and 2026-04-22 calls re-opened the framing, including statements from @timbl ("as an analogy, POP and IMAP: POP is much simpler but both exist and you can use both, but one is much more powerful") and @acoburn ("the businesses that we work with, they handle regulated data, looking at their requirements, WAC does not work").

I want to acknowledge: I was the one who initially pushed for a stronger recommendation, hoping for consensus on one language. That was naive in retrospect, and the resulting need to walk it back has consumed considerable CG meeting time over multiple calls. I apologise for that. We clearly do not have consensus right now, and that is why this PR aims to be as neutral as possible — identifying the capabilities of each language and presenting the data, rather than reaching a conclusion from the data. I'm suggesting we pause the push for an exclusive recommendation, and if we revisit it at all, it should be when we have more implementations, more implementor engagement, and more robust data. The placeholder approach for the wider Solid26 launch — keeping the access-control-language wording out of the launch until consensus is reached — is in #785.

The wider implementor engagement is already in flight: the persona-groups operating model presented by @Roberto-Breitman at 2026-04-08 is the mechanism by which we expect more implementations and more structured feedback to land in the CG over the coming months. Solid26 is set up to feed into that process. The implementors guide is not where the normative call should be made; that belongs in the protocol-level specifications, on the back of better data.

Two underlying discussions

Two questions are getting mixed up here that it's worth separating:

(1) What use cases is Solid aiming to support? This is too broad for the implementors guide. The CG has a UC&R document at solid.github.io/authorization-panel/authorization-ucr which already records requirements such as capability access (§3.2.1), credential access (§3.2.2), and time-bound access (§3.6.1) — none of which WAC supports today without server-side extensions.

On your Cloud Storage reference: Solid's scope is broader than the social-web framing. Even many of the WAC proponents have industry use cases. There are also regulated use cases that are not commercial, such as regulated health data, for which there is a whole session at the Solid Symposium. The implementors guide is not the place to redraw the scope of Solid.

(2) Whether WAC provides sufficient coverage of Solid's use cases. There is genuine disagreement here, but there is also visible agreement that extensions to WAC are needed to satisfy some use cases — the conditional-grants work that lands as acl:condition in WAC 1.1 ED is a direct example. Those extensions require server-side changes; clients cannot rely on an arbitrary WAC server to support them. The pragmatic next step is to get those capabilities into existing WAC server implementations (e.g. via WAC 1.1) and assess via Solid26 whether WAC then covers what implementors need — before taking further decisions about access-control language recommendations.

Even though WAC 1.1 is not recommended in the implementors guide, mentioning it as an aside does not stop implementors engaging with Solid26 from discovering it and choosing to use or test it — especially those on the more research-oriented end of the adoption spectrum, who are well-placed to give the CG feedback on whether WAC + 1.1 extensions cover their requirements.

Other languages have also been raised in the meetings — ODRL among them, including by you at 2026-04-22 ("we might want to go back and consider other authorization mechanisms, like ODRL"). As such, having the debate over strongly recommending a language — when we do not have CG consensus, and when we may end up discarding both WAC and ACP for something else — is not desirable; nor is continuing the discussion a good use of time at present.

Solid26's broader purpose

Solid26 is explicitly aimed at increasing implementor feedback to the CG, including from WAC implementors. The persona-groups model presented by Roberto at 2026-04-08 is the structured channel for that. The hope is that the data gathered through this exercise lets us make better-grounded decisions than we can today. The lack of substantive ACP-side implementor feedback is a real issue — but so is the broader lack of implementor feedback the CG has had to work with on access-control choices generally. Solid26 is set up to address that.

Tone / wording fixes from the review

Several of the wording critiques have been applied in 7fb35b7 and 2440259:

• Monotonic / non-monotonic terminology removed. Both terms are gone. WAC's positive-grant model and ACP's deny-override semantics are still described where they bear on capabilities.
• WAC limitations rephrased. Now reads "WAC 1.0 does not support deny or non-additive policy composition, application-aware matching beyond Origin, or issuer matching", paired with the WAC 1.1 ED signpost — rather than the prior "does not express deny rules…" phrasing.
• ACP paragraph rewritten as concrete capabilities. Allow/deny + deny-override, acp:client, acp:issuer, acp:vc, acp:allOf/acp:anyOf/acp:noneOf. The "more expressive alternative / suited to requirements beyond WAC" framing has been removed.
• WAC 1.1 active-development signpost. 5435add adds the link to the WAC 1.1 ED. Currently linking to a Wayback Machine snapshot; PR Add TR snapshot for WAC 1.1 (2026-04-20) #784 adds the proper TR/2026 snapshot, and a suggestion already on this PR will swap the link to the immutable URL once Add TR snapshot for WAC 1.1 (2026-04-20) #784 merges.

Items left as-is

• Survey data presentation. The figures stand on their own in the #note-survey block; not adding interpretive prose over them.
• Implementer-feedback citations. Not adding either @VirginiaBalseiro's or @acoburn's specific comments to the spec text. The meeting record holds them; the guide does not need to amplify either side.

Happy to act on anything else with specific direction.

[csarven]

the action I took was to propose neutral text for the WAC/ACP framing in solid26

Once again, it wasn't a CG action.

We can stop here.

But I'll entertain the extensively structured comment you shared.

---

I didn't find the proposal neutral. On the contrary, as I've pointed out, it had obvious bias, diminishing WAC, and elevating ACP. I find it trivial to read between the lines.

At the 2026-04-01 call I said [..]

If you are literally taking the quoted text from the minutes as the only input for evaluation, yes, I can see why you would arrive at that proposal. The fact of the matter is the essence of what was concluded in that meeting. If you believe that the minutes are incomplete or at least don't fully capture that, I can agree with you on that. I have expressed elsewhere that minutes should be updated to fill in the blanks. If you would like to raise an objection on the point that WAC was to be recommended and ACP not based on your recollection of the meeting, we can evaluate that in a CG meeting, and get to the bottom of it.

The decision recorded at 2026-04-08 [..]

That was not at all a "decision". That was something you spoke. Nothing more. It is important not to conflate the idea that voicing oneself equates CG consensus / action / decision etc., in any way.

The data-collection email of 2026-03-20 flagged that the data

You're making my point for me. The 2026-04-01 call was the "decision". There was no objection to that decision nor any significant information provided for consideration to re-consider the decision.

but no formal vote was sent

Then let's back all the way up. Stop the presses. But wait, before we do that, could you explain why a "formal vote" is necessary? Or let me ask another question, do you think a vote is the best way to resolve this issue? I suggested several times now that if there is a dispute, then propose a criteria to better analyse the data, we (CG) can then find a way to agree on that criteria before going further.

I've reflected those views back here based on the feedback given to me.

The 2026-04-15 and 2026-04-22 calls re-opened the framing

"Re-opening the framing" wasn't called for by the CG. An alternative framing was suggested, but that was never agreed. In fact, there were objections to that framing. I don't see the proposed text reflecting the views of the objections on re-framing.

including statements

None of those statements rise up to a change. It is not even new or relevant information to the subject matter. If anything, those statements are already captured in the data. Data > statements.

We clearly do not have consensus right now

We are already past consensus. What you may be thinking is that we don't have unanimous consensus. No, it is not required to move forward.

PR aims to be as neutral as possible

But it isn't. And it does not follow the original intention of solid26. What's happening right now is known as moving the goal posts. Many of the things being said or "reframed" rests on that logical fallacy, among others. We can walk through each statement if you like.

more implementations, more implementor engagement, and more robust data

I need those quantifiable. See also what I said re criteria. You are welcome to propose one. The CG can evaluate it.

The placeholder approach for the wider Solid26 launch

Once again, that conflicts with prior CG decision.

The wider implementor engagement is already in flight

Why do you feel/think this is acceptable CG input as is? Or do you/ODI think that CG needs to operate around that? If so, why? What you cite is literally "ODI Persona Groups Operating Model" - great, that about sums it up.

The implementors guide is not where the normative call should be made

The CG literally did not ask for this to begin with, so it is unclear what this is responding to or is it just a statement?

(1) What use cases is Solid aiming to support?

It is incorrect to think that any mechanism needs to support all of the use cases nor they are desired. If the ecosystem has already converged on WAC based on the data collected, that speaks for itself.

On your Cloud Storage reference: Solid's scope is broader than the social-web framing

This is once gain red herring. I consistently used the phrase "open web" both in the call and in writing. And I even corrected you when what I said ("open web") was thrown back as "social web". The point wasn't that Solid can't or shouldn't address "fixing the web" for all possible use cases one can imagine in society. The point was about focus and the actual problems that people have on the web / in their lives towards "fixing the web" and what the CG can genuinely solve without reinventing wheels. Coming up with solutions to problems that people (in masses) didn't ask for is not something the CG has to fix. The CG charter has a scope: https://www.w3.org/community/solid/charter/#scope and that already gives plenty of room.

(2) Whether WAC provides sufficient coverage of Solid's use cases

What's written there is so convoluted and I think it lacks a deep understanding of standards development. WAC, or any CG work item for that matter, does not answer to solid26 or ODI or whatever. WAC is evolving at its own (s)pace based on the wider discussions/implementations. Yes, we understand implementation experience, and don't need to be told about this. In the 2026-04-22 meeting, Christoph and myself already gave a status update about current state and next steps, which includes gathering implementations and listening to feedback before publishing TR/wac .

Even though WAC 1.1 is not recommended in the implementors guide

I personally don't care if WAC 1.1 is mentioned in solid26 or not. WAC 1.1 ED could be mentioned, if the CG agrees, for what it is, and we're working towards publishing WAC 1.1 CG-DRAFT. There is not much more to this story.

ODRL among them, including by you at 2026-04-22

Yes, have been since 2019 (e.g., solid/authorization-panel#55 ). It is not strictly about ODRL either. I only called for work / research / study to find ways to bridge the work between Solid stuff and ODRL. Some of which I've proposed (to Solid/ODRL and implemented myself). Again, if Solid wants to "fix the web" and go beyond mechanisms that are quite literally in the same category, it needs to dive into solid/authorization-panel#121 .

As such, having the debate over strongly recommending a language

Na, that's not what this is about. One recommends, as originally agreed, based on what we have. Not based on hypotheticals or architecture astronomy. We are talking about solid26, not final be all "solid-final-1oneoneeleven-last-rubberstamped.html" that wraps everything up as the ultimate guide on how fixing the web should be done with Solid. I thought this was obvious, but here we are.

persona-groups model presented by Roberto at 2026-04-08 is the structured channel for that

Disagree. And there is no CG consensus on that whatsoever. It is not CG material. Just the act of getting some airtime in a CG meeting does not mean that's CG consensus. CG participants with ODI affiliation are welcome to share their findings with the CG. That does not entail that the CG just says "okay".

WAC limitations rephrased

This is still seriously problematic. The fact that this is describing WAC around ACP's features is an obvious red flag. It is aiming to draw attention to something that the Solid ecosystem for the most part does not even use based on the data. It is an asymmetric rhetorical structure, not neutral presentation. But, that said, WAC has an issue on "deny" at solid/web-access-control-spec#137 and we'll investigate that. The mention around Origin is trying to draw attention on something that's not even particularly widely implemented in WAC, and could very well be deprecated in WAC one day (e.g., solid/web-access-control-spec#130 ). Saying something like "application-aware matching beyond Origin" is not only misleading but shows a misunderstanding of "web origin authorization", which has nothing to do with "application-aware matching". Regarding the language "with no implementations known at the time of publication" in 5435add , why would you even feel the need to say that for an WAC 1.1 ED? Is that actually helping anyone that has no understanding or care about ED / CG-DRAFT or whatever? I find that whole phrasing not only awkward but diminishing (and I know where it comes from). We just got the ED out and noted commitments to implemented in its PR. Literally no one, not even the CG suggested that ED needs to be interpreted as mature.

The meeting record holds them; the guide does not need to amplify either side.

Because one cancels the other? If it is useful information, why wouldn't you incorporate it? Or is it that implementation feedback that's negative about ACP shouldn't be disclosed in soldi26?

Happy to act on anything else with specific direction.

At this point, I'll wait for @uvdsl's review.

[uvdsl]

Solid26 (WAC|ACP)

Dear all,

there is disagreement on what the intent and content regarding access control language(s) in the Solid26 Implementation Guide should be.

I have manually reviewed all CG meeting minutes starting 2026-01-07 and linked documents relevant to that discussion. Please find all the relevant links and highlighted contents at the end of this comment.

TL;DR:

I thus arrive at the conclusion that

• the technical arguments made to also recommend ACP do not invalidate the agreement and decision that had been reached within the CG.
• the intention of "Solid26" from the beginning was indeed to recommend one access control language (as it was communicated that way and the initial drafts only listing ACP).
• the agreed to process resulted in WAC being the choice of access control language to recommend

This CG followed the usual process of finding consensus or agreement and to reach a decision on a proposal. If individual CG members are not satisfied with the outcome of the decision or the data collection by means of which the outcome was determined, I would urge them to raise an issue to the group and make their concerns explicit in writing such that it can later be referenced. At the same time, I urge CG members to not obstruct implementation of the CG's decision, even though they might personally disagree.

Status Quo

• "Solid26" was communicated by @jeswr (JW) and Oli Bage (OB) to select one access control language and to recommend that choice. [2026-01-21],[2026-01-28],[2026-03-18],[2026-03-20],[2026-03-25], [2026-04-01]
• Prior to data collection, the initial Google Docs drafts for Solid26 listed ACP as the already chosen access control language to recommend. [Solid26 Overview (draft)], [Solid26 (draft)]
• Data collection shows high adoption of WAC and low adoption of ACP in the community. [Results (archived)]
• After the data collection had finished, it was proposed by @jeswr to recommend WAC and in addition mention ACP. [2026-04-08]
• An Objection was raised by @csarven against this proposal based on the earlier communicated goal and agreement on that goal in the group. [2026-04-15]
• TimBL argued to recommend ACP en par with WAC. [2026-04-15]
• The editors of Solid26 moved forward with recommending WAC while mentioning ACP, though not to include ACP, despite the objection. 12a71a3
• The argument to recommend ACP en par with WAC depended on use cases was iterated. [2026-04-22]
• It was argued that "Solid26" were not intended to lock in baselines. [2026-04-22]

Based on the above, I observe that

• agreement was reached within the group to recommend one access control language based on the data gathered
• the choice of access control language to recommend had fallen on WAC under consensus of the group
• there is no agreement within the group not to recommend WAC
• there is no agreement within the group to recommend ACP and WAC en par
• there is no agreement within the group to recommend ACP

I further note that

• the current draft for "Solid26" already mentions ACP as an expressive access control language and acknowledges that implementers might find ACP to satisfy their use cases.
• this is already borders what was originally communicated within and agreed to by the group.

I thus arrive at the conclusion that

• the technical arguments made to also recommend ACP do not invalidate the agreement and decision that had been reached within the CG.
• the intention of "Solid26" from the beginning was indeed to recommend one access control language (as it was communicated that way and the initial drafts only listing ACP).
• the agreed to process resulted in WAC being the choice of access control language to recommend

This CG followed the usual process of finding consensus or agreement and to reach a decision on a proposal. If individual CG members are not satisfied with the outcome of the decision or the data collection by means of which the outcome was determined, I would urge them to raise an issue to the group and make their concerns explicit in writing such that it can later be referenced. At the same time, I urge CG members to not obstruct implementation of the CG's decision, even though they might personally disagree.

History

https://github.com/solid/specification/blob/main/meetings/2026-01-21.md

What is now known as "Soli26" was first pitched to the community as "Solid 1.0".

OB: Different sub-specs are at different levels of maturity. Having a clear line in the sand, for external parties, is the majority of the v1 goal. When other specs become more mature, v1.1 and v1.2 versions might follow.

JW: Walked briefly through the ODI roadmap, explictly highlighting bariers to adoption:

Additions / Decisions regarding client implementations
Best practices for client implemantors (client to client specs)
Would like to prioritise suggested items with the group
How to structure containers and best practices for container access
Recommendations for content in public or private resources
Promote a single Access Controll spec (WAC or ACL?) And get more consensus surrounding Notifications

JW: [Answering a question regarding WAC vs. ACL] Would prefer not to let his personal preference lead the direction. Part is dependant on current server implementations. The data to allow making a data-driven decision is missing

---

https://github.com/solid/specification/blob/main/meetings/2026-01-28.md

JW:

Scale 1-4 (order of priority)

Bundle content:

Standards releases:
Solid Core protocol
OIDC
WebID
OneOf(WAC|ACP) access control spec

---

https://github.com/solid/specification/blob/main/meetings/2026-02-04.md

where I cautioned about starting a rather fierce discussion on ACP vs. WAC and advocated for considering active maintanence of the specs as an important criterium

OB: We want to gather implementation data
CB: I would encourage caution how to approach this debate. It has been creating quite a rift. There have been a lot of issues acknowledged in both camps. I'm not sure if for 2026 it is reasonable to explain the differences, or provide more guidance. Rather than picking one and divide the community.
eP: Features in scope, for example no app authorization at all or limited app authorization only available for the Resource Owner via something like acp:client matcher (or improved WAC)
eP: need for client restrictions eg acp:client
CB: There is a long demand for that feature in WAC, I created a PR. Noting that WAC is still being worked on and ACP didn't see changes.
eP: Matthieu would need to engage to make any further work on ACP
CB: We should consider who actively is using it and have request for features, test stability, have feedback from practicioners.

---

https://github.com/solid/specification/blob/main/meetings/2026-03-18.md

jeswr: Solid 26 suggestion to create spreadsheet with server implementers and applications and WAC/ACP compatibility
..: message to CG about spreadsheet and that survey will help determine Solid 26, survey due next Friday: 27 March
eP: would be nice to have tests for both to be able to validate (currently no ACP test suite)

JW: want to share and get feedback/PR
JW: my current draft on the Solid 2026 document: https://docs.google.com/document/d/1da2J-NsU3K-4kWEFOvhzIdrvy_KftewXdlxfu401kY0/edit?tab=t.0

https://web.archive.org/web/20260424080942/https://docs.google.com/document/d/1da2J-NsU3K-4kWEFOvhzIdrvy_KftewXdlxfu401kY0/edit?tab=t.0

This draft lists ACP as the already chosen access control language, recommended by the initial draft.
This draft had been created prior to any data collection.
The creators of this draft seem to favor ACP for undisclosed reasons.

---

https://lists.w3.org/Archives/Public/public-solid/2026Mar/0019.html

From: Jesse Wright jesse.wright@theodi.org
Date: Fri, 20 Mar 2026 10:13:53 +0000
To: public-solid@w3.org
Message-ID: CAJbzXEV4EHbhF0Z4hZBvkz3RizdWRNduBYPvGu6m+BrpJzswiw@mail.gmail.com

we are collecting data on WAC and ACP implementations across Solid applications, servers, pod services, and test suites. This information will help determine which specifications are recommended for Solid26 https://docs.google.com/document/d/1HxaShh5MVRBcimo9uXrtpWPCW6Xo5S9aOLdFAQX2oJY/edit?tab=t.0

where the linked document lists ACP as the recommended access control language: https://web.archive.org/web/20260424082149/https://docs.google.com/document/d/1HxaShh5MVRBcimo9uXrtpWPCW6Xo5S9aOLdFAQX2oJY/edit?tab=t.0#heading=h.68mt47qe53m7

---

https://github.com/solid/specification/blob/main/meetings/2026-03-25.md

https://github.com/solid/solid26/blob/main/content.md

https://github.com/solid/solid26/blob/d3065b970cf477ed4a19a1e1a2916a4357582f53/content.md mentions again "one of" WAC or ACP. I observe a pattern where "one of (WAC|ACP)" is communicated on W3C records while ACP remains the one already chosen in the shared draft documents.

SC: If there are bugs in the specifications, they should follow the typical CG process for addressing them (see CG contribution guidelines below). When I look at the WAC vs ACP spreadsheet, vast majority of the applications align with the open source servers. That's the interop we can point at. There are servers that these applications do not interact with and so it doesn't make sense to optimise for the edge closed-source servers that are not even part of this conversation. If anything, they can play along with the ecosystem that we have (based on data). Also, the CG Contributing Guidelines details Work Items: https://github.com/w3c-cg/solid/blob/main/CONTRIBUTING.md#work-items

---

https://github.com/solid/specification/blob/main/meetings/2026-04-01.md

eP: In the future we could try to do it via PRs so that we get notifications and provenance
... https://docs.google.com/spreadsheets/d/1b_aEy0p6-jxChJ9OU5TwVz8FkRRIl5r7L6m95DXsJdQ/edit?gid=0#gid=
... many items list WAC, only a few that list ACP
JW: This should inform what we recommend in the implementors guide that was just mentioned in the announcement
RZ: This document lists servers and implementations - but there has not been a poll on what features people need/prefer from WAC/ACP
SC: This was for Solid26/Implementors?
JW: Yes.
SC: Okay, thank you. What would be then be a good a resolution to this? What is the kind of message you envision to come of this? Like: "We collected the data, and here is the result".
JW: One way I was thinking was that we recommend in the implementors guide the use of one specification - based on the data collected.

Gathered data archived: https://github.com/w3c-cg/solid/blob/main/implementations/wac-acp.2026-04-01.csv

---

https://github.com/solid/specification/blob/main/meetings/2026-04-08.md

JW: shares screen to go over the pull request (listed above) - At present we have an abstract talking about what Solid26 is: Non-normative document, a collection of existing works. Key thing being servers should comply to WAC, may also support ACP (as per the survey conducted last week), it points to a snapshot of WAC which may be updated if Sarven puts up a new version before Solid26. Also includes work on guidance by Samu.

I notice that the wording is still in-line with recommending WAC to implementers. I also notice that this is the first time that it is no longer "one of (WAC|ACP)", which had been communicated and agreed to earlier.

https://github.com/solid/specification/blob/main/meetings/2026-04-15.md

SC: Regarding access control, the whole discussion was already concluded in the CG based on the data gathered in the CG, which was that implementation of WAC is encouraged and ACP is not. Anything else does not reflect community consensus. Anything else, that e.g. clients should do this or that, is out of scope here. There were also some mistakes that were corrected re clients implementing. I object to the language around the wording that was or is in the PR. I maintain that (along those lines) WAC should be encouraged and ACP not.

IMPORTANT
Now the discussion is re-opened in the meeting by JW making the argument of a flawed data gathering process:

[JW:] re access control languages, I think there are two open threats:
... 1. how we frame this document as a whole
... if we follow the philosophy of CB, saying that we look at the Solid Protocol and fix some versions in Solid26 and reflect on the state of current implementations, then I would be leaning on the new text I proposed where I say that the Solid Protocol requires ACP and WAC, clients typically only implement one. That is more inline with not including any normative language, so it does not break anything from the Solid Protocol.
... It was also pointed out that there were some flaws in the data collection, e.g., as raised by SL in an ODI internal call, which is that there is no reflection of where particular servers and apps are deployed and what their usage is and number of usage is. We do have some data but ODI thinks that the data does fall apart quickly.

Extracting Responses that I found most relevant:

SC: If the group wants to go back to the drawing board to gather new data, then I suggest to come up with transparent criteria so we can all agree on what to rate the data. I am open to that. As it stands, we can split hairs about the above properties. You mention Technology Readiness Levels (TRLs) which seems to be a loaded term. Readiness for who or where? What context? Ready for the "Open Web"? Accessible to different people, regions, economic backgrounds? Open source?
... I have to be honest. Looking at the data, and how now the PR and its content have been handled, it seems that someone in that discussion did not seem to like the outcome. Still, I think that the data is the best overview of what is out there that we ever had.
... there has been multiple pushes for ACP to become the only Access Control Language, which had not been successfull, and the data seems to reflect that
... WAC remains prominent in the ecosystem, and actively maintained
... if ACP is actually used, why do we not hear from implementers or deployments, why do we not get feedback to benefit from.
SC: I would thus like to propose to remove ACP from the Solid Protocol altogether. PROPOSPAL: Deprecate ACP in Solid Protocol
... This is independend from the Solid26 discussion, we can have that discussion as well.
... Still, my proposal stands. There is also additional implementations of WAC which we also did not cover, e.g., from OpenLink, W3C, and others.
... I think we should acknowledge what worked and what didnt.
... There were also folks in the community that advocated that we do not need ACP, Henry Story did infact showcase how WAC can facilitate the same use cases of ACP. This discussion then stalled due to lack of engagement from the ACP camp. So, why dont we just settle on WAC?

CB: I want to emphasise that there are different audiences that ODI has in mind. From what we have right now, the recommendation for one over the other is pretty obvious. However the wording in the end is, it cannot put ACP as the prime policy language to use, just based on the feedback gathered.

[TBL:] For the particular issue of ACP/WAC, WAC is much more deployed but not mentioning ACP would be injustice because it exists.
...: and mathematically ACP is a more powerful languague. It can do things that WAC cannot do

SC: At the end of the day, we want this thing to be implementable and to get feedback from implementers. WAC has a better track record here. I dont know what new criteria would be needed to make ACP appear better
...: WAC and ACP are not that different when you dive into the model. Different environments need different things. When we look at the open web or social web -- WAC quite literally gives us what we want. This is better than offering something complex that doesn't have the same foundation. If you look at google docs, their interface boils down to read/write/append and control. This is from one of the largest tech companies with a userbase of billions. That is working for that type of environment. I feel that we aren't aiming for that 80-95%, instead we are looking for that 1% that we are trying to optimise for somehow.

[CB]: On WAC and ACP I do think that we should encourage WAC over ACP given what we have heard so far from the community, given that it supports a wide range of use cases and that it is extensible to support a wider range of use cases. I am yet to encounter a use case that WAC does not support directly or through the extensions it allows. I am yet to see an application in Germany which uses ACP. Further, because WAC is so simple, it is much easier for people to extend WAC with the concepts that they need rather than ACP.

[TBL]: Does anyone object to having ACP mentioned?
SC: I object since we gathered the data and made a decision earlier.
...: I base my objection on intent to sticking with some form of a process. Why we don't follow what we agreed to do?

CB: [...] Focusing on Solid26. Can we work with the data that we obtained, and acknowledge that we have it as it is. Being WAC is widely implemented ACP less: implementers be aware. And note that this is an attempt of gathering broader feedback from implementers. I see that you want to use Solid26 as a vehicle to obtain feedback. Let's acknowledge the data we have and consider it as the first iteration.

https://github.com/solid/specification/blob/main/meetings/2026-04-22.md

OB: The purpose of Solid26 was to get feedback by wider groups, not locking in certain baselines.

Directly contradicts how Solid26 was pitched to the CG in the 2026-01-21 meeting, where OB said "having a clear line in the sand" and JW said "Promote a single Access Controll spec"

TBL: This is important, so maybe we can schedule this earlier next time?
...: I am a big supporter of WAC. If did lots of work for WAC, and I used WAC alot, and for most things it works. However, I noticed that I could not use WAC when running Solid on my Apache Server. Apache does "deny"-things, it is more complicated that WAC is to simple. If Inrupt finds that there are systems out there that are too complex for WAC and might require ACP. The fact that those systems are not open source. I think you have to accept this even if this comes from a corporate particpant.
CB: Thank you Tim. My gut feeling is that arguments are all valid in their own rights. ACP is more expressive than WAC, can't do deny. Nobody disputes that. There are some use cases that require that functionality. What the question here really is what should be the first place to look at when considering authorization mechanisms. The community thinks what you should use, if you find that your system is too complex. Then by all means go use it. It doesn't mean that we need to recommend WAC and ACP on par, given that we agreed on something based on data.

AC: I don't know who added Inrupt data, it is not one and we don't disclose it in general. The way it is framed and the way I would recommend: different use cases have different requirements and will require different systems. WAC is widely adopted and serves certain use cases well, there are other use cases, which may be

JZ: It seems that based on survey we have to recommend WAC, it doesn't mean that we shouldn't mention ACP. I don't want to say it is just for social media. There are public sources used by non-profits. There are many use cases where WAC works.

---

---

Reviewed; did not find content relevant to the WAC/ACP debate:

• https://github.com/solid/specification/blob/main/meetings/2026-01-07.md
• https://github.com/solid/specification/blob/main/meetings/2026-01-14.md
• https://github.com/solid/specification/blob/main/meetings/2026-02-11.md
• https://github.com/solid/specification/blob/main/meetings/2026-02-18.md
• https://github.com/solid/specification/blob/main/meetings/2026-02-25.md
• https://github.com/solid/specification/blob/main/meetings/2026-03-04.md
• https://github.com/solid/specification/blob/main/meetings/2026-03-11.md

[uvdsl]

I disagree with @elf-pavlik. This is wording seems controversial to me.

The original suggested wording painted WAC as simple and points out what it is NOT good for (without elaborating on what the used terms, e.g., conditional grants or context-aware policies, mean). The suggested wording does not at all do WAC justice with regards to what it can do. In fact, the suggested wording compresses the acknowledgement of this to a side-note. Instead, the suggested wording paints ACP as the alternative to go beyond "simple" requirements, which implies that WAC is simple because it can only satisfy simple requirements. This is misleading. WAC is simple and it can satisfy quite complex requirements. In addition, citing the security considerations of WAC to point out a specific missing feature (in TR, not ED) to implementers, while not even acknowledging that ACP does not even have any security considerations or privacy considerations sections is applying double standards.

The currently proposed wording is also problematic in that it again points out which of ACP's features WAC does not seem to support. This is problematic because you can use WAC extensions and agent classes to model complex authorization rules including client restrictions and issuer restrictions. While the wording acknowledges that WAC is actively being maintained and moved forward to include features desired by the community in a convenient way, this is immediately played down that there were no implementations. Implementations are in progress, e.g., my own, and a previous attempt for CSS can be found here and thus be quickly updated from what I see.

The "action" that was listed in the minutes: As far as I can determine, there was a suggestion to explain use cases and requirements re WAC/ACP at the very end of the minutes, by the point of which we were already more than 30min over time. The minutes does not detail whose suggestion this was. That @jeswr took this as an action does not imply consensus or agreement from the group. The meeting minutes' "actions" section has been a rough TODO list (at best) to keep track of in the group, given that we rarely had technical discussions and let alone decisions in the last 2 years. That said, I appreciate the effort.

The issue remains that the suggested changes include ACP as a recommended access control language. As far as I understand from the meeting minutes, there was no agreement to add ACP as a recommended access control language to Solid26. Please amend the proposal accordingly, e.g., by accepting my suggested changes, and remove ACP as a recommended specification.

[uvdsl]

Suggested change

The Solid Protocol requires Servers to conform to Web Access Control (<a href="#web-access-control">WAC</a>), Access Control Policy (<a href="#access-control-policy">ACP</a>), or both, and requires Clients to conform to both. In practice, Clients typically conform to one. A Client that conforms to only one and needs to read or write access-control rules will not interoperate with a Server that implements only the language the Client does not support; Clients that do not interact with access-control rules are unaffected. Implementers choosing between the two should consider the requirements satisfied by each.

The Solid Protocol requires Servers to conform to Web Access Control (<a href="#web-access-control">WAC</a>), Access Control Policy (<a href="#access-control-policy">ACP</a>), or both, and requires Clients to conform to both. In practice, Clients typically conform to one. A Client that conforms to only one and needs to read or write access-control rules will not interoperate with a Server that implements only the language the Client does not support; Clients that do not interact with access-control rules are unaffected.

[uvdsl]

Suggested change

	<p>WAC is pragmatic, user-friendly, and extensible. WAC 1.0 does not support deny or non-additive policy composition, application-aware matching beyond Origin, or issuer matching; application-aware matching, issuer matching, and other conditional grants land as <code>acl:condition</code> in <a href="https://web.archive.org/web/20260425225256/https://solid.github.io/web-access-control-spec/">WAC 1.1 ED</a>, with no implementations known at the time of publication.</p>
	<p>ACP is expressive. It supports allow and deny rules (deny overrides allow), application-aware (<code>acp:client</code>) and issuer (<code>acp:issuer</code>) matching, verifiable-credential matching (<code>acp:vc</code>), and policy composition via <code>acp:allOf</code> / <code>acp:anyOf</code> / <code>acp:noneOf</code>.</p>
	<p>WAC is considered pragmatic, easy to understand, and extensible. WAC is deny-by-default and authorizations grant access that would otherwise be denied. WAC is being actively maintained and moved forward to include community-desired features in a convenient way. ACP is considered expressive yet complex. ACP allows to flexibly compose policies that grant and deny access. ACP is currently not actively maintained.</p>

[uvdsl]

Suggested change

	</div>
	</div>
	<p>
	Servers are strongly encouraged to implement Web Access Control (<a href="https://solidproject.org/TR/protocol#web-access-control">WAC</a>), see <a href="#web-access-control">below</a>.
	In case WAC seems not to satisfy implementers' requirements, implementers are strongly encouraged to verify their understanding of the matter in community discussion by providing <a href="https://solidproject.org/TR/wac#document-feedback">feedback</a> to the community.
	If WAC is not able to satisfy the requirements, implementers might consider ACP or <a href="https://github.com/solid/authorization-panel/issues/121#issuecomment-4253548683">other suitable mechanisms</a> to achieve their goals.
	</p>
	<p>Clients are advised to consider that they might not be able to interoperate with every conforming Server they encounter and are thus encouraged to. Clients are encouraged to signal corresponding issues to their users.</p>

[uvdsl]

Suggested change

	<section id="access-control-policy" inlist="" rel="schema:hasPart" resource="#access-control-policy">
	<h3>Access Control Policy</h3>
	<div datatype="rdf:HTML" property="schema:description">
	<p><a href="https://solidproject.org/TR/2022/acp-20220518">Access Control Policy</a> (v0.9.0, 2022-05-18) is included.</p>
	</div>
	</section>

[uvdsl]

Suggested change

	<dt id="ref-acp">[ACP]</dt>
	<dd><cite><a href="https://solidproject.org/TR/2022/acp-20220518">Access Control Policy</a></cite>. Matthieu Bosquet. W3C Solid Community Group. 18 May 2022. Version 0.9.0. URL: <a href="https://solidproject.org/TR/2022/acp-20220518">https://solidproject.org/TR/2022/acp-20220518</a></dd>

[uvdsl]

Suggested change

	<tr>
	<td><a href="https://solidproject.org/TR/2022/acp-20220518">Access Control Policy</a></td>
	<td><a href="https://solidproject.org/TR/2022/acp-20220518">(v0.9.0, 2022-05-18)</a></td>
	<td><a href="#access-control-policy">Link</a></td>
	</tr>

[uvdsl]

Suggested change

<li class="tocline"><a class="tocxref" href="#access-control-policy"><bdi class="secno">2.4</bdi> <span>Access Control Policy</span></a></li>