From 619a20702b8d53eff3a876864237cfc036446d7e Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Sun, 5 Apr 2026 04:27:00 +0100 Subject: [PATCH 01/46] feat: initialise Solid26 implementors guide --- solid26.html | 460 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 460 insertions(+) create mode 100644 solid26.html diff --git a/solid26.html b/solid26.html new file mode 100644 index 00000000..9e992fc1 --- /dev/null +++ b/solid26.html @@ -0,0 +1,460 @@ + + + + + Solid26: Implementation Guide + + + + + + + + +
+
+
+

Solid26: Implementation Guide

+

Draft Community Group Report,

+
+ More details about this document +
+
This version
+
https://solidproject.org/TR/solid26
+
+
+
Latest published version
+
https://solidproject.org/TR/solid26
+
+
+
Editors
+
Jesse Wright (University of Oxford)
+
Christoph Braun (Karlsruhe Institute of Technology)
+
+
+
Published
+
+
+
+
Modified
+
+
+
+
Feedback
+
GitHub solid/specification (pull requests, new issue, open issues)
+
+
+
Language
+
English
+
+
+
Document Type
+
Implementation Guide
+
+
+

Copyright © 2026 the Contributors to Solid26: Implementation Guide, under the W3C Community Contributor License Agreement (CLA). A human-readable summary is available.

+
+
+
+
+

Abstract

+
+

This document is an implementation guide for Solid26 — a curated collection of Solid specification versions intended to give developers, organisations, and communities a stable target to build against. It provides practical guidance for implementing the Solid specifications included in this release.

+
+
+
+

Status of This Document

+
+

This document was published by the W3C Solid Community Group as an implementation guide. It is not a W3C Standard nor is it on the W3C Standards Track.

+

This document is intended to provide implementation guidance for the Solid specifications collected in the Solid26 release. The content of this guide is informative and non-normative. It may be updated, replaced, or obsoleted by other documents at any time.

+

Comments regarding this document are welcome. Please file issues on GitHub.

+
+
+ + +
+

Introduction

+
+

The Solid Specification defines multiple sub-specification documents with differing levels of maturity. This, the Solid26 release, curates those sub-specifications with fixed versions of the most critical and stable documents required to build functional Solid servers and applications.

+

This document serves as an implementation guide — it does not define new normative requirements, but rather collects and explains the specifications needed to build interoperable Solid applications and servers as part of the Solid26 release.

+ +
+

What is Solid26?

+
+

Solid has been evolving since it was developed by Sir Tim Berners-Lee and his team at MIT. Decades of development has produced a rich set of specifications, tools, and community knowledge — but there is not yet a single, clearly defined collection that says: this is ready to build on.

+

Solid26 aims to change that. It brings together core Solid specification versions into one coherent collection. Think of it as a stable snapshot of the Solid platform — a known-good baseline that application developers and server implementers can target with confidence.

+

The name "Solid26" reflects the aspiration for Solid to adopt a rolling release model. Like modern browsers and platforms, the Solid ecosystem would continue to evolve — with annual collections that build on real-world feedback and adoption. Whether this model is adopted is subject to discussion within the W3C Solid Community Group.

+
+

Note

+

Solid26 does not change or remove existing parts of the Solid Specification in any way. It adds to the existing set of resources in the Solid community, and aims to make Solid more accessible.

+
+
+
+ + +
+
+ +
+

Specifications

+
+

The Solid26 specification documents are as follows:

+ +
+

Solid Protocol

+
+

The Solid Protocol (v0.11.0) is included with the following amendments. Servers are not required to implement the following:

+ +

The Solid Protocol document is stable.

+
+
+ +
+

Solid-OIDC

+
+

Solid-OIDC (v0.1.0) is included in the Solid26 release.

+

Solid-OIDC is subject to change as best practices for authentication evolve.

+
+

Editor's Note

+

Solid-OIDC v0.1.0 is not a widely implemented version. A document that accurately reflects current implementations is being drafted by Christoph Braun. This PR is waiting for that document to be available and ready to reference before merging.

+
+
+
+ +
+

Web Access Control

+
+

Web Access Control (Editor's Draft, 2024-06-03) is included in this release.

+

The Web Access Control specification is likely to become one of many access control language profiles which are supported in future releases. Note that most clients should not need to manage access controls — and hence should not be affected by a change in the access control language that a server uses.

+
+
+ +
+

Stability Expectations

+
+

The following table summarises the stability expectations for each specification included in this release:

+ + + + + + + + + + + + + + + + + + + + + + + + + +
SpecificationVersionStability
Solid Protocolv0.11.0Stable
Solid-OIDCv0.1.0Subject to change
Web Access ControlED 2024-06-03May become one of many profiles
+
+
+
+
+ +
+

Implementation Requirements

+
+

This section describes the expected requirements for applications and servers targeting the Solid26 release.

+ +
+

Server Conformance

+
+

Servers conforming to Solid26 are expected to implement all parts of the Solid Protocol (v0.11.0) with the exceptions noted in that section, along with Solid-OIDC and Web Access Control.

+
+
+ + +
+
+ + + +
+

References

+
+
+
[SOLID-PROTOCOL]
+
Solid Protocol. Sarven Capadisli; Tim Berners-Lee; Kjetil Kjernsmo. W3C Solid Community Group. URL: https://solidproject.org/TR/protocol
+ +
[SOLID-OIDC]
+
Solid-OIDC. W3C Solid Community Group. URL: https://solidproject.org/TR/oidc
+ +
[WAC]
+
Web Access Control. W3C Solid Community Group. URL: https://solidproject.org/TR/wac
+ + +
+
+
+ +
+

Acknowledgements

+
+

The content of Solid26 has been proposed by members of the W3C Solid Community Group, including the Open Data Institute, and is subject to the group's processes.

+

The Open Data Institute stewards the Solid Project and is coordinating the development of supporting materials for Solid26 in collaboration with the global Solid community.

+
+
+ +
+
+
+ + From 59eaa64db341c236d678256570744f4ac49932b7 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Mon, 6 Apr 2026 16:20:46 +0100 Subject: [PATCH 02/46] fix: update Web Access Control links and dates in the specification --- solid26.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solid26.html b/solid26.html index 9e992fc1..e2aa9729 100644 --- a/solid26.html +++ b/solid26.html @@ -369,7 +369,7 @@

Editor's Note

Web Access Control

-

Web Access Control (Editor's Draft, 2024-06-03) is included in this release.

+

Web Access Control (2024-05-12) is included in this release.

The Web Access Control specification is likely to become one of many access control language profiles which are supported in future releases. Note that most clients should not need to manage access controls — and hence should not be affected by a change in the access control language that a server uses.

@@ -399,7 +399,7 @@

Stability Expectations

Web Access Control - ED 2024-06-03 + 2024-05-12 May become one of many profiles @@ -438,7 +438,7 @@

References

Solid-OIDC. W3C Solid Community Group. URL: https://solidproject.org/TR/oidc
[WAC]
-
Web Access Control. W3C Solid Community Group. URL: https://solidproject.org/TR/wac
+
Web Access Control. W3C Solid Community Group. URL: https://solidproject.org/TR/2024/wac-20240512
From 8fa3c6967eeaba89f259b76a8e3986fad06f3683 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Mon, 6 Apr 2026 16:26:26 +0100 Subject: [PATCH 03/46] fix: update versioning to include CG-Draft --- solid26.html | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/solid26.html b/solid26.html index e2aa9729..13b83293 100644 --- a/solid26.html +++ b/solid26.html @@ -339,12 +339,12 @@

Note

Specifications

-

The Solid26 specification documents are as follows:

+

The Solid26 specification documents are as follows. All referenced specifications are W3C Solid Community Group Drafts.

Solid Protocol

-

The Solid Protocol (v0.11.0) is included with the following amendments. Servers are not required to implement the following:

+

The Solid Protocol (CG-Draft, v0.11.0) is included with the following amendments. Servers are not required to implement the following:

  • 5.3.1 Modifying Resources Using N3 Patches
  • 10.2 WebID-TLS
    • @@ -357,7 +357,7 @@

    Solid Protocol

    Solid-OIDC

    -

    Solid-OIDC (v0.1.0) is included in the Solid26 release.

    +

    Solid-OIDC (CG-Draft, v0.1.0) is included in the Solid26 release.

    Solid-OIDC is subject to change as best practices for authentication evolve.

    Editor's Note

    @@ -369,7 +369,7 @@

    Editor's Note

    Web Access Control

    -

    Web Access Control (2024-05-12) is included in this release.

    +

    Web Access Control (CG-Draft, 2024-05-12) is included in this release.

    The Web Access Control specification is likely to become one of many access control language profiles which are supported in future releases. Note that most clients should not need to manage access controls — and hence should not be affected by a change in the access control language that a server uses.

    @@ -389,17 +389,17 @@

    Stability Expectations

    Solid Protocol - v0.11.0 + CG-Draft, v0.11.0 Stable Solid-OIDC - v0.1.0 + CG-Draft, v0.1.0 Subject to change Web Access Control - 2024-05-12 + CG-Draft, 2024-05-12 May become one of many profiles From 4269b76bb67640cd65de9b7bbced8a738db99957 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Mon, 6 Apr 2026 16:29:18 +0100 Subject: [PATCH 04/46] feat: add editor's note regarding WAC version updates --- solid26.html | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/solid26.html b/solid26.html index 13b83293..6d8fb149 100644 --- a/solid26.html +++ b/solid26.html @@ -371,6 +371,10 @@

    Web Access Control

    Web Access Control (CG-Draft, 2024-05-12) is included in this release.

    The Web Access Control specification is likely to become one of many access control language profiles which are supported in future releases. Note that most clients should not need to manage access controls — and hence should not be affected by a change in the access control language that a server uses.

    +
    +

    Editor's Note

    +

    We would like to update the referenced WAC version and snapshot link to include the proposed changes in solid/web-access-control-spec#134, if they are merged in time.

    +
    From 1798a18f77dfa834400348f7477eddc1d951d21d Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Mon, 6 Apr 2026 16:35:55 +0100 Subject: [PATCH 05/46] fix: remove discussions of stability --- solid26.html | 37 ------------------------------------- 1 file changed, 37 deletions(-) diff --git a/solid26.html b/solid26.html index 6d8fb149..86649fd4 100644 --- a/solid26.html +++ b/solid26.html @@ -298,7 +298,6 @@

    Table of Contents

  • 2.1 Solid Protocol
  • 2.2 Solid-OIDC
  • 2.3 Web Access Control
    • -
  • 2.4 Stability Expectations
  • @@ -350,7 +349,6 @@

    Solid Protocol

  • 10.2 WebID-TLS
  • ACP (Access Control Policy)
-

The Solid Protocol document is stable.

@@ -358,7 +356,6 @@

Solid Protocol

Solid-OIDC

Solid-OIDC (CG-Draft, v0.1.0) is included in the Solid26 release.

-

Solid-OIDC is subject to change as best practices for authentication evolve.

Editor's Note

Solid-OIDC v0.1.0 is not a widely implemented version. A document that accurately reflects current implementations is being drafted by Christoph Braun. This PR is waiting for that document to be available and ready to reference before merging.

@@ -370,46 +367,12 @@

Editor's Note

Web Access Control

Web Access Control (CG-Draft, 2024-05-12) is included in this release.

-

The Web Access Control specification is likely to become one of many access control language profiles which are supported in future releases. Note that most clients should not need to manage access controls — and hence should not be affected by a change in the access control language that a server uses.

Editor's Note

We would like to update the referenced WAC version and snapshot link to include the proposed changes in solid/web-access-control-spec#134, if they are merged in time.

- -
-

Stability Expectations

-
-

The following table summarises the stability expectations for each specification included in this release:

- - - - - - - - - - - - - - - - - - - - - - - - - -
SpecificationVersionStability
Solid ProtocolCG-Draft, v0.11.0Stable
Solid-OIDCCG-Draft, v0.1.0Subject to change
Web Access ControlCG-Draft, 2024-05-12May become one of many profiles
-
-
From d745ce3086b3b4b3f79396f1c410314f1ccf21da Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Mon, 6 Apr 2026 16:38:07 +0100 Subject: [PATCH 06/46] fix: remove reference to WebID-TLS from Solid Protocol amendments --- solid26.html | 1 - 1 file changed, 1 deletion(-) diff --git a/solid26.html b/solid26.html index 86649fd4..66de1552 100644 --- a/solid26.html +++ b/solid26.html @@ -346,7 +346,6 @@

Solid Protocol

The Solid Protocol (CG-Draft, v0.11.0) is included with the following amendments. Servers are not required to implement the following:

From 00b8caac3856846c6880d410acbe16c09b8055d7 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Mon, 6 Apr 2026 18:28:09 +0100 Subject: [PATCH 07/46] fix: remove Implementation Requirements section from specification --- solid26.html | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/solid26.html b/solid26.html index 66de1552..de17db94 100644 --- a/solid26.html +++ b/solid26.html @@ -300,12 +300,6 @@

Table of Contents

  • 2.3 Web Access Control
    • -
  • -

    3. Implementation Requirements

    -
      -
    1. 3.1 Server Conformance
      2. -
    -
  • References
  • Acknowledgements
    • @@ -375,22 +369,6 @@

    Editor's Note

    -
    -

    Implementation Requirements

    -
    -

    This section describes the expected requirements for applications and servers targeting the Solid26 release.

    - -
    -

    Server Conformance

    -
    -

    Servers conforming to Solid26 are expected to implement all parts of the Solid Protocol (v0.11.0) with the exceptions noted in that section, along with Solid-OIDC and Web Access Control.

    -
    -
    - - -
    -
    -
    From 735cec492e94e78539e33a027cac5381f87f1110 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Mon, 6 Apr 2026 22:54:02 +0100 Subject: [PATCH 08/46] fix: update implementation guide for Solid26 to clarify purpose and content --- solid26.html | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/solid26.html b/solid26.html index de17db94..cec3887a 100644 --- a/solid26.html +++ b/solid26.html @@ -269,7 +269,7 @@

    Solid26: Implementation Guide

    Abstract

    -

    This document is an implementation guide for Solid26 — a curated collection of Solid specification versions intended to give developers, organisations, and communities a stable target to build against. It provides practical guidance for implementing the Solid specifications included in this release.

    +

    This document is an implementation guide for Solid26 — a snapshot of the most mature and widely implemented Solid specification versions, collected to help developers and organisations identify a common baseline. It provides practical guidance for implementing the Solid specifications included in this collection.

    @@ -288,9 +288,6 @@

    Table of Contents

  • Status of This Document

  • 1. Introduction

    -
      -
    1. 1.1 What is Solid26?
      2. -

  • 2. Specifications

    @@ -309,23 +306,8 @@

    Table of Contents

    Introduction

    -

    The Solid Specification defines multiple sub-specification documents with differing levels of maturity. This, the Solid26 release, curates those sub-specifications with fixed versions of the most critical and stable documents required to build functional Solid servers and applications.

    -

    This document serves as an implementation guide — it does not define new normative requirements, but rather collects and explains the specifications needed to build interoperable Solid applications and servers as part of the Solid26 release.

    - -
    -

    What is Solid26?

    -
    -

    Solid has been evolving since it was developed by Sir Tim Berners-Lee and his team at MIT. Decades of development has produced a rich set of specifications, tools, and community knowledge — but there is not yet a single, clearly defined collection that says: this is ready to build on.

    -

    Solid26 aims to change that. It brings together core Solid specification versions into one coherent collection. Think of it as a stable snapshot of the Solid platform — a known-good baseline that application developers and server implementers can target with confidence.

    -

    The name "Solid26" reflects the aspiration for Solid to adopt a rolling release model. Like modern browsers and platforms, the Solid ecosystem would continue to evolve — with annual collections that build on real-world feedback and adoption. Whether this model is adopted is subject to discussion within the W3C Solid Community Group.

    -
    -

    Note

    -

    Solid26 does not change or remove existing parts of the Solid Specification in any way. It adds to the existing set of resources in the Solid community, and aims to make Solid more accessible.

    -
    -
    -
    - - +

    The Solid Specification defines multiple sub-specification documents with differing levels of maturity. Solid26 collects the most mature and widely implemented specification versions into one coherent reference — a snapshot of the parts of the Solid platform that are most broadly supported by existing implementations.

    +

    This document does not define new normative requirements, but rather identifies and collects the specifications needed to build interoperable Solid applications and servers.

    From f46d28fb4dc9d575f9621939c07dfcfb6ead0972 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Mon, 6 Apr 2026 22:55:56 +0100 Subject: [PATCH 09/46] fix: remove Acknowledgements section from Solid26 specification --- solid26.html | 9 --------- 1 file changed, 9 deletions(-) diff --git a/solid26.html b/solid26.html index cec3887a..49f0b973 100644 --- a/solid26.html +++ b/solid26.html @@ -298,7 +298,6 @@

    Table of Contents

  • References
    • -
  • Acknowledgements
    • @@ -371,14 +370,6 @@

    References

    -
    -

    Acknowledgements

    -
    -

    The content of Solid26 has been proposed by members of the W3C Solid Community Group, including the Open Data Institute, and is subject to the group's processes.

    -

    The Open Data Institute stewards the Solid Project and is coordinating the development of supporting materials for Solid26 in collaboration with the global Solid community.

    -
    -
    - From ddc0188d25981175c54be31d69c6f7cea1ca20bc Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 8 Apr 2026 00:43:07 +0100 Subject: [PATCH 10/46] fix: update Solid Protocol and related sections to reflect CG-DRAFT/FINAL versions --- solid26.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solid26.html b/solid26.html index 49f0b973..3a965890 100644 --- a/solid26.html +++ b/solid26.html @@ -318,7 +318,7 @@

    Specifications

    Solid Protocol

    -

    The Solid Protocol (CG-Draft, v0.11.0) is included with the following amendments. Servers are not required to implement the following:

    +

    The Solid Protocol (CG-DRAFT/FINAL, v0.11.0) is included with the following amendments. Servers are not required to implement the following:

    • 5.3.1 Modifying Resources Using N3 Patches
    • ACP (Access Control Policy)
      • @@ -329,7 +329,7 @@

      Solid Protocol

      Solid-OIDC

      -

      Solid-OIDC (CG-Draft, v0.1.0) is included in the Solid26 release.

      +

      Solid-OIDC (CG-DRAFT/FINAL, v0.1.0) is included in the Solid26 release.

      Editor's Note

      Solid-OIDC v0.1.0 is not a widely implemented version. A document that accurately reflects current implementations is being drafted by Christoph Braun. This PR is waiting for that document to be available and ready to reference before merging.

      @@ -340,7 +340,7 @@

      Editor's Note

      Web Access Control

      -

      Web Access Control (CG-Draft, 2024-05-12) is included in this release.

      +

      Web Access Control (CG-DRAFT/FINAL, 2024-05-12) is included in this release.

      Editor's Note

      We would like to update the referenced WAC version and snapshot link to include the proposed changes in solid/web-access-control-spec#134, if they are merged in time.

      From 2ba9106284e08e2f3259f273aad56d980db1c042 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 8 Apr 2026 00:44:41 +0100 Subject: [PATCH 11/46] fix: update notes heading "Editors Note" -> "Note" --- solid26.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/solid26.html b/solid26.html index 3a965890..d43abf9c 100644 --- a/solid26.html +++ b/solid26.html @@ -331,7 +331,7 @@

      Solid-OIDC

      Solid-OIDC (CG-DRAFT/FINAL, v0.1.0) is included in the Solid26 release.

      -

      Editor's Note

      +

      Note

      Solid-OIDC v0.1.0 is not a widely implemented version. A document that accurately reflects current implementations is being drafted by Christoph Braun. This PR is waiting for that document to be available and ready to reference before merging.

      @@ -342,7 +342,7 @@

      Web Access Control

      Web Access Control (CG-DRAFT/FINAL, 2024-05-12) is included in this release.

      -

      Editor's Note

      +

      Note

      We would like to update the referenced WAC version and snapshot link to include the proposed changes in solid/web-access-control-spec#134, if they are merged in time.

      From 91216e03eb12cfdd036fdf2b8240729a8ee69f14 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 8 Apr 2026 01:03:55 +0100 Subject: [PATCH 12/46] fix: update ACP link to reflect correct section in Solid Protocol --- solid26.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solid26.html b/solid26.html index d43abf9c..f60fc20c 100644 --- a/solid26.html +++ b/solid26.html @@ -321,7 +321,7 @@

      Solid Protocol

      The Solid Protocol (CG-DRAFT/FINAL, v0.11.0) is included with the following amendments. Servers are not required to implement the following:

      From 71823990ff423c921c6159c156e29172832ceb9c Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 8 Apr 2026 01:21:16 +0100 Subject: [PATCH 13/46] fix: add Solid26 reference and links to specification table --- index.html | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/index.html b/index.html index 6c1baf22..6138558d 100644 --- a/index.html +++ b/index.html @@ -118,6 +118,13 @@

      Work Items

      Current Stage + + + Solid26 + https://github.com/solid/specification + CG-DRAFT + + Solid Protocol From 2ce1f0676592b72641bc99863dd24ba568ef6d4b Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 8 Apr 2026 01:32:06 +0100 Subject: [PATCH 14/46] fix: clarify Solid Protocol and Web Access Control descriptions in Solid26 specification --- solid26.html | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/solid26.html b/solid26.html index f60fc20c..f5a30afc 100644 --- a/solid26.html +++ b/solid26.html @@ -318,10 +318,10 @@

      Specifications

      Solid Protocol

      -

      The Solid Protocol (CG-DRAFT/FINAL, v0.11.0) is included with the following amendments. Servers are not required to implement the following:

      +

      The Solid Protocol (CG-DRAFT/FINAL, v0.11.0) is included with the following amendments:

      @@ -340,7 +340,7 @@

      Note

      Web Access Control

      -

      Web Access Control (CG-DRAFT/FINAL, 2024-05-12) is included in this release.

      +

      Web Access Control (CG-DRAFT/FINAL, 2024-05-12) is included in this release. Solid26 requires servers to implement WAC as their access control mechanism.

      Note

      We would like to update the referenced WAC version and snapshot link to include the proposed changes in solid/web-access-control-spec#134, if they are merged in time.

      From 286e7c7733ecb811dd1b23b87932e4dde243be4b Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 8 Apr 2026 01:36:54 +0100 Subject: [PATCH 15/46] fix: add note on server interoperability with Solid26 clients --- solid26.html | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/solid26.html b/solid26.html index f5a30afc..7c55b927 100644 --- a/solid26.html +++ b/solid26.html @@ -345,6 +345,10 @@

      Web Access Control

      Note

      We would like to update the referenced WAC version and snapshot link to include the proposed changes in solid/web-access-control-spec#134, if they are merged in time.

      +
      +

      Note

      +

      Servers that do not conform with this section can still interoperate with Solid26 clients that do not read or modify access controls.

      +
      From b5625db66d4b85f0a56840e4fef92b2bb370a562 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 8 Apr 2026 13:58:58 +0100 Subject: [PATCH 16/46] fix: add Implementation Guidance section with WebID note --- solid26.html | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/solid26.html b/solid26.html index 7c55b927..c4b731b2 100644 --- a/solid26.html +++ b/solid26.html @@ -297,6 +297,12 @@

      Table of Contents

    • 2.3 Web Access Control
      • +
    • +

      3. Implementation Guidance

      +
        +
      1. 3.1 WebID
        2. +
      +
    • References
      • @@ -354,7 +360,22 @@

      Note

    +
    +

    Implementation Guidance

    +
    + +
    +

    WebID

    +
    +
    +

    Note

    +

    Work in progress: the content from the WebID guidance document is to be integrated into this section.

    +
    +
    +
    +
    +

    References

    From 84996d71c25b52adfed7e67650f36b7a4cf5e876 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Tue, 14 Apr 2026 23:40:08 +0100 Subject: [PATCH 17/46] Update solid26.html Co-authored-by: Christoph Braun --- solid26.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solid26.html b/solid26.html index c4b731b2..429d3c2f 100644 --- a/solid26.html +++ b/solid26.html @@ -338,7 +338,7 @@

    Solid-OIDC

    Solid-OIDC (CG-DRAFT/FINAL, v0.1.0) is included in the Solid26 release.

    Note

    -

    Solid-OIDC v0.1.0 is not a widely implemented version. A document that accurately reflects current implementations is being drafted by Christoph Braun. This PR is waiting for that document to be available and ready to reference before merging.

    +

    Solid-OIDC v0.1.0 is not widely implemented. In particular, the recommended flow of User-Managed Access (UMA) is not supported by any open source Solid Server implementation (yet). Current implementations rely on the access token issued by the OpenID Provider of the user to authenticate the user at a Solid Storage. A corresponding Group Note document that accurately reflects current implementations is being drafted by Christoph Braun. This PR is waiting for that document to be available and ready to reference before merging.

    From cdf59627cc90a4f4b9e76803fb6febd300677afa Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 15 Apr 2026 01:42:01 +0100 Subject: [PATCH 18/46] Update solid26.html Co-authored-by: Christoph Braun --- solid26.html | 4 ---- 1 file changed, 4 deletions(-) diff --git a/solid26.html b/solid26.html index 429d3c2f..debd0d17 100644 --- a/solid26.html +++ b/solid26.html @@ -351,10 +351,6 @@

    Web Access Control

    Note

    We would like to update the referenced WAC version and snapshot link to include the proposed changes in solid/web-access-control-spec#134, if they are merged in time.

    -
    -

    Note

    -

    Servers that do not conform with this section can still interoperate with Solid26 clients that do not read or modify access controls.

    -
    From 84f1f3f818e2b63e2bf68532795de36f402dbb7a Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 15 Apr 2026 01:44:13 +0100 Subject: [PATCH 19/46] chore: update Christoph Brauns metadata Co-authored-by: Christoph Braun --- solid26.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solid26.html b/solid26.html index debd0d17..e0c9b9bf 100644 --- a/solid26.html +++ b/solid26.html @@ -239,7 +239,7 @@

    Solid26: Implementation Guide

    Editors
    Jesse Wright (University of Oxford)
    -
    Christoph Braun (Karlsruhe Institute of Technology)
    +
    Christoph Braun (Karlsruhe Institute of Technology (KIT))
    Published
    From a35a492b4fa9d2599bc526e969e0f45a9c9f2e7c Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 15 Apr 2026 01:46:17 +0100 Subject: [PATCH 20/46] Update solid26.html Co-authored-by: Christoph Braun --- solid26.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solid26.html b/solid26.html index e0c9b9bf..6ecfe638 100644 --- a/solid26.html +++ b/solid26.html @@ -275,7 +275,7 @@

    Abstract

    Status of This Document

    -

    This document was published by the W3C Solid Community Group as an implementation guide. It is not a W3C Standard nor is it on the W3C Standards Track.

    +

    This document was published by the W3C Solid Community Group as a Community Group Note. It is not a W3C Standard nor is it on the W3C Standards Track.

    This document is intended to provide implementation guidance for the Solid specifications collected in the Solid26 release. The content of this guide is informative and non-normative. It may be updated, replaced, or obsoleted by other documents at any time.

    Comments regarding this document are welcome. Please file issues on GitHub.

    From 51a6c3289126f8ee4209c7d9c9c857a715bffa34 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 15 Apr 2026 01:47:28 +0100 Subject: [PATCH 21/46] Update solid26.html Co-authored-by: Christoph Braun --- solid26.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solid26.html b/solid26.html index 6ecfe638..a76c4385 100644 --- a/solid26.html +++ b/solid26.html @@ -324,7 +324,7 @@

    Specifications

    Solid Protocol

    -

    The Solid Protocol (CG-DRAFT/FINAL, v0.11.0) is included with the following amendments:

    +

    The Solid Protocol (CG-DRAFT/FINAL, v0.11.0) is included with the following comments:

    • Servers are not required to implement 5.3.1 Modifying Resources Using N3 Patches.
    • Servers MUST conform to Web Access Control (WAC). Clients are not required to conform to Access Control Policy (ACP).
      • From 17e6849376701679965066c474ac500afe9b331c Mon Sep 17 00:00:00 2001 From: Christoph Braun Date: Wed, 15 Apr 2026 08:40:59 +0200 Subject: [PATCH 22/46] Apply suggestion from code review: CG Note -> CG Report --- solid26.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solid26.html b/solid26.html index a76c4385..fb219b70 100644 --- a/solid26.html +++ b/solid26.html @@ -275,7 +275,7 @@

      Abstract

      Status of This Document

      -

      This document was published by the W3C Solid Community Group as a Community Group Note. It is not a W3C Standard nor is it on the W3C Standards Track.

      +

      This document was published by the W3C Solid Community Group as a Community Group Report. It is not a W3C Standard nor is it on the W3C Standards Track.

      This document is intended to provide implementation guidance for the Solid specifications collected in the Solid26 release. The content of this guide is informative and non-normative. It may be updated, replaced, or obsoleted by other documents at any time.

      Comments regarding this document are welcome. Please file issues on GitHub.

      From cf3d4b9437e7a3411c8521d09613d25afc6c11bf Mon Sep 17 00:00:00 2001 From: Christoph Braun Date: Thu, 16 Apr 2026 15:42:56 +0200 Subject: [PATCH 23/46] edit Solid26 based on feedback from CG meeting on 2026-04-15 --- solid26.html | 96 +++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 80 insertions(+), 16 deletions(-) diff --git a/solid26.html b/solid26.html index fb219b70..1092cc88 100644 --- a/solid26.html +++ b/solid26.html @@ -239,7 +239,7 @@

      Solid26: Implementation Guide

      Editors
      Jesse Wright (University of Oxford)
      -
      Christoph Braun (Karlsruhe Institute of Technology (KIT))
      +
      Christoph Braun (FZI Forschungszentrum Informatik)
      Published
      @@ -311,7 +311,12 @@

      Table of Contents

      Introduction

      -

      The Solid Specification defines multiple sub-specification documents with differing levels of maturity. Solid26 collects the most mature and widely implemented specification versions into one coherent reference — a snapshot of the parts of the Solid platform that are most broadly supported by existing implementations.

      +

      + The Solid Technical Reports comprise multiple specification documents with differing levels of maturity. + The Solid Protocol bundles the specifications that, together, provide applications with secure and permissioned access to externally stored data in an interoperable way. + Solid26 points implementers to fixed versions of the Solid Protocol and its sub-specifications, a stable snapshot of the specifications to build against today. + Solid26 selects for the most widely implemented specification versions at the time of this documents publication. +

      This document does not define new normative requirements, but rather identifies and collects the specifications needed to build interoperable Solid applications and servers.

      @@ -319,15 +324,60 @@

      Introduction

      Specifications

      -

      The Solid26 specification documents are as follows. All referenced specifications are W3C Solid Community Group Drafts.

      +

      This Solid26 Implementation Guide recommends the following specification snapshots.

      Solid Protocol

      The Solid Protocol (CG-DRAFT/FINAL, v0.11.0) is included with the following comments:

        -
      • Servers are not required to implement 5.3.1 Modifying Resources Using N3 Patches.
        • -
      • Servers MUST conform to Web Access Control (WAC). Clients are not required to conform to Access Control Policy (ACP).
        • +
      • + Clients are strongly encouraged to implement a PATCH fallback mechanism, in case they encounter a Server that does not implement 5.3.1 Modifying Resources Using N3 Patches despite it being required by the Solid Protocol. + For example, Clients might try to use a combination of HTTP GET and HTTP PUT to work around such limitation of a non-conformant Server. +
        • +
      • + Servers are strongly encouraged to implement Web Access Control (WAC), see below. +
        +

        Note

        +

        The March 2026 implementation survey yields the following results:

        +
          +
        • + For WAC, the data shows 13 server-side implementations, deployment in 11 services, and 19 client-side implementations. + WAC is considered the pragmatic, user-friendly, and extensible standard that effectively covers nearly all of the use cases from current Solid Apps. +
          • +
        • + For ACP, the data shows 4 server-side implementations, deployment in 1 service, and 4 client-side implementations. + ACP is considered as a highly powerful but complex tool that has not seen wide adoption in the community as the data indicates. +
          • +
        +

        The data shows that most clients implement only one access control language, despite the Solid Protocol requiring Clients to conform to both WAC and ACP.

        +
        +
        • +
      • + While the Solid Protocol technically requires any Client to conform to both authorization languages, Client implementers are advised to consider whether their Client implementation should actually attempt to modify access rules at all: + A separation between a client executing application-specific logic and a client executing authorization-related logic might be beneficial in terms of separation of concerns, maintainability, and re-usability of software components [BKY+24]. + Such approach might rely on +
          +
        • access requests to update access control rules accordingly on a Server
          • +
        • issued by the application-logic client
          • +
        • processed by either a particular Client that is able and trusted to manage access controls (such as an access management or authorization application) or by custom Server functionality
          • +
        +
        +

        [New Work Item]: Access Requests and Grants

         +

        + Access requests and their processing are currently are poposed work item to the CG. + Different approaches exist within the community; no consensus has been reached yet. + Implementers are encouraged to provide their implementation expierence as input to the community's discussion. +

        +
        +
        +

        Editor's Note (Christoph)

        +

        + Not sure if the above item provides sufficient guidance or is simply confusing due to the lack of context in the Solid Protocol for access requests altogether. + I, Christoph, am torn on the above item on access requests. Would like to hear the groups's opinion here. +

        +
        +
      @@ -335,10 +385,17 @@

      Solid Protocol

      Solid-OIDC

      -

      Solid-OIDC (CG-DRAFT/FINAL, v0.1.0) is included in the Solid26 release.

      -
      -

      Note

      -

      Solid-OIDC v0.1.0 is not widely implemented. In particular, the recommended flow of User-Managed Access (UMA) is not supported by any open source Solid Server implementation (yet). Current implementations rely on the access token issued by the OpenID Provider of the user to authenticate the user at a Solid Storage. A corresponding Group Note document that accurately reflects current implementations is being drafted by Christoph Braun. This PR is waiting for that document to be available and ready to reference before merging.

      +

      Solid-OIDC (CG-DRAFT/FINAL, v0.1.0) is included with the following comments:

      +
        +
      • +

        Despite Solid26 including Solid-OIDC v0.1.0, it is not widely implemented. In particular, the Solid-OIDC recommended flow of User-Managed Access (UMA) is not supported by any open source Solid Server implementation. Current implementations rely on the access token issued by the OpenID Provider of the user to authenticate the user at a Solid Storage.

        +
        • +
      +
      +

      EDITORS' Note

      +

      + A corresponding Group Note document that accurately reflects current implementations is being drafted by Christoph Braun. This PR is waiting for that document to be available and ready to reference before merging. +

      @@ -346,12 +403,13 @@

      Note

      Web Access Control

      -

      Web Access Control (CG-DRAFT/FINAL, 2024-05-12) is included in this release. Solid26 requires servers to implement WAC as their access control mechanism.

      -
      -

      Note

      -

      We would like to update the referenced WAC version and snapshot link to include the proposed changes in solid/web-access-control-spec#134, if they are merged in time.

      +

      Web Access Control (CG-DRAFT/FINAL, 2024-05-12) is included with the following comments:

      +
        +
      • + WAC is actively being maintained and developed: To officially extend WAC with functionality desired by the community, a corresponding proposal is seeking implementers' feedback (solid/web-access-control-spec#134). +
        • +
      -
      @@ -369,7 +427,6 @@

      Note

    -
    @@ -386,7 +443,14 @@

    References

    [WAC]
    Web Access Control. W3C Solid Community Group. URL: https://solidproject.org/TR/2024/wac-20240512
    - +
    [BKY+24]
    +
    + AuthApp - Portable, Reusable Solid App for GDPR-Compliant Access Granting. + Andreas Both; Thorsten Kastner; Dustin Yeboah; Christoph Braun; Daniel Schraudner; Sebastian Schmid; Tobias Käfer; Andreas Harth. + ICWE 2024: 199-214. + URL: https://doi.org/10.1007/978-3-031-62362-2_14 , + Postprint available at: https://publikationen.bibliothek.kit.edu/1000172187 +
    From 2ad25c39304b5ee44d48118e9254029931913fa5 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Fri, 17 Apr 2026 01:36:50 +0100 Subject: [PATCH 24/46] clarify patch detection and fallback mechanisms --- solid26.html | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/solid26.html b/solid26.html index 1092cc88..4348427a 100644 --- a/solid26.html +++ b/solid26.html @@ -332,8 +332,9 @@

    Solid Protocol

    The Solid Protocol (CG-DRAFT/FINAL, v0.11.0) is included with the following comments:

    +

    From 12a71a33fc4674d7b296e2b6733856a9c1067e4c Mon Sep 17 00:00:00 2001 From: Christoph Braun Date: Mon, 20 Apr 2026 16:04:06 +0200 Subject: [PATCH 36/46] revising Solid Protocol comment re WAC to mention ACP --- solid26.html | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/solid26.html b/solid26.html index d5dd17df..a5c7abe6 100644 --- a/solid26.html +++ b/solid26.html @@ -347,22 +347,29 @@

    Solid Protocol

    Note that If-Match uses strong comparison, so weak ETags (those prefixed with W/) will not match.

  • - Servers are strongly encouraged to implement Web Access Control (WAC), see below. +

    + Servers are strongly encouraged to implement Web Access Control (WAC), see below. +

    Note

    The March 2026 implementation survey yields the following results (archived):

    • For WAC, the data shows 13 server-side implementations, deployment in 11 services, and 19 client-side implementations. - WAC is pragmatic, user-friendly, and extensible. WAC has all the features that most open, social, Web applications need. + WAC is considered the pragmatic, user-friendly, and extensible standard that effectively covers nearly all of the use cases from current Solid Apps.
    • For ACP, the data shows 4 server-side implementations, deployment in 1 service, and 4 client-side implementations. - ACP is highly expressive. ACP is most commonly applied in enterprise and B2B applications of Solid involving complex permissions. + ACP is considered an expressive and complex alternative that might be chosen to satisfy corresponding use-case specific requirements.

    The data shows that most clients implement only one access control language, despite the Solid Protocol requiring Clients to conform to both WAC and ACP.

    +

    + In case WAC seems not to satisfy implementers' requirements, implementers are strongly encouraged to verify their understanding of the matter in community discussion by providing feedback to the community. + If WAC is not able to satisfy the requirements, implementers might consider ACP or other suitable mechanisms to achieve their goals. + Client implementers are advised to consider that their Client implementation will not be able to interoperate with every conforming Server their Client might encounter. +

  • From 173f6c2798fee82d320815ccf106111ba43ed923 Mon Sep 17 00:00:00 2001 From: Christoph Braun Date: Mon, 20 Apr 2026 16:07:14 +0200 Subject: [PATCH 37/46] remove WAC comment --- solid26.html | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/solid26.html b/solid26.html index a5c7abe6..eebc6a33 100644 --- a/solid26.html +++ b/solid26.html @@ -414,12 +414,7 @@

    EDITORS' Note

    Web Access Control

    -

    Web Access Control (CG-DRAFT, v1.0.0, 2024-05-12) is included with the following comments:

    -
      -
    • - WAC is actively being maintained and developed: To officially extend WAC with functionality desired by the community, a corresponding proposal is seeking implementers' feedback (solid/web-access-control-spec#134). -
      • -
    +

    Web Access Control (CG-DRAFT, v1.0.0, 2024-05-12) is included.

    From bcc1de4978a776fe24b3f3de19d4e11acc8406dc Mon Sep 17 00:00:00 2001 From: Christoph Braun Date: Mon, 20 Apr 2026 16:09:23 +0200 Subject: [PATCH 38/46] indent etag flow --- solid26.html | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/solid26.html b/solid26.html index eebc6a33..a096a690 100644 --- a/solid26.html +++ b/solid26.html @@ -336,15 +336,15 @@

    Solid Protocol

    If a server does not support HTTP PATCH requests, the client can HTTP GET the resource, apply the change locally, and then HTTP PUT the resource back. If the server supports ETag headers or Last-Modified headers, clients can achieve the concurrency-control behaviour of HTTP PATCH by issuing a conditional PUT. ETag-based validation is more precise than date-based validation and should be preferred when a server supports both, because Last-Modified has only one-second resolution and may not reflect sub-second changes.

    -

    The flow is:

    +

    The flow is:

    -
      -
    • On GET, the server returns an ETag — an opaque validator identifying the current state of the resource (often derived from a content hash, but the exact derivation is up to the server). For example, imagine the server returns ETag: "xyzzy".
      • -
    • The client then makes a conditional PUT using the If-Match header: If-Match: "xyzzy". The server applies the PUT only if the resource's current ETag still matches "xyzzy"; otherwise it responds with 412 Precondition Failed. This guarantees the resource has not changed on the server between the GET and the PUT.
      • -
    • The equivalent using dates is If-Unmodified-Since paired with the Last-Modified value from the GET response. Note that If-Modified-Since is the header used for cache revalidation on GET, not for lost-update prevention on PUT.
      • -
    +
      +
    • On GET, the server returns an ETag — an opaque validator identifying the current state of the resource (often derived from a content hash, but the exact derivation is up to the server). For example, imagine the server returns ETag: "xyzzy".
      • +
    • The client then makes a conditional PUT using the If-Match header: If-Match: "xyzzy". The server applies the PUT only if the resource's current ETag still matches "xyzzy"; otherwise it responds with 412 Precondition Failed. This guarantees the resource has not changed on the server between the GET and the PUT.
      • +
    • The equivalent using dates is If-Unmodified-Since paired with the Last-Modified value from the GET response. Note that If-Modified-Since is the header used for cache revalidation on GET, not for lost-update prevention on PUT.
      • +
    -

    Note that If-Match uses strong comparison, so weak ETags (those prefixed with W/) will not match.

    +

    Note that If-Match uses strong comparison, so weak ETags (those prefixed with W/) will not match.

  • From 5af7e45363ef18ee9ba5f0f3f7457aa566a15765 Mon Sep 17 00:00:00 2001 From: Christoph Braun Date: Mon, 20 Apr 2026 16:19:28 +0200 Subject: [PATCH 39/46] add overview table for fixed specification versions --- solid26.html | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/solid26.html b/solid26.html index a096a690..87efee47 100644 --- a/solid26.html +++ b/solid26.html @@ -326,6 +326,33 @@

    Specifications

    This Solid26 Implementation Guide recommends the following specification snapshots.

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    SpecificationVersionDetails
    Solid Protocol(CG-DRAFT, v0.11.0, 2024-05-12)Link
    Solid-OIDC(v0.1.0, 2022-03-28)Link
    Web Access Control(CG-DRAFT, v1.0.0, 2024-05-12)Link
    +

    Solid Protocol

    From 68f852e7d8575d7bc9e745f2a1606d7950ef4b7f Mon Sep 17 00:00:00 2001 From: Christoph Braun Date: Mon, 20 Apr 2026 17:54:48 +0200 Subject: [PATCH 40/46] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Tobias Käfer <6708974+kaefer3000@users.noreply.github.com> --- solid26.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solid26.html b/solid26.html index 87efee47..5b235c9b 100644 --- a/solid26.html +++ b/solid26.html @@ -400,18 +400,18 @@

    Note

  • - Clients might desire to update access control on particular resources, e.g., for sharing a user's data with another user or application. + Some Clients might desire to update access control on particular resources, e.g., for sharing a user's data with another user or application. In such a case, Clients are strongly encouraged to rely on or make use of conforming implementations that are independently tested and verified, e.g., through open test suites and publicly documented implementation reports. Servers might only allow such tested and verified conformant Clients to modify access control rules.

    - Implementers are advised to consider whether their Client implementation should actually attempt to modify access rules at all: + Implementers of Clients are advised to consider whether their Client implementation should actually attempt to modify access rules at all: An architectural separation between a Client executing application-specific logic and a Client executing authorization-related logic might be beneficial in terms of separation of concerns, maintainability, and re-usability of software components [BKY+24]. Such separation allows Clients to rely on an externally tested and verified Client already implementing of authorization-related logic. Such approach to modifying access control rules might rely on

    • access requests to update access control rules accordingly on a Server
      • -
    • issued by the application-logic client
      • +
    • issued by the application-logic Client
    • processed by a particular Client that is able and trusted to manage access controls (such as an access management or authorization application)
    • From 2076240e2c85d7b758d517245923d19869f4a83a Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Fri, 24 Apr 2026 02:06:35 +0100 Subject: [PATCH 41/46] solid26: WebID Guidance (#781) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: boostrap webid section * feat: enhance Solid26 guidance sections * fix section headings * feat: enhance WebID Profile guidance with additional validation notes and refined predicate listings * feat: update WebID Profile note to include empirical data source for predicate usage * feat: add clarification on non-public WebID Document retrieval in WebID Profile * minor editorial * chore: consistency of term "Implementors Guide" with main PR Co-authored-by: Christoph Braun * fix foaf predicate and note on solid:oidcIssuer * Update solid26.html Co-authored-by: Christoph Braun * Add Linked Data Notifications inbox reference to WebID Profile * Update WebID Document union process to mention ldp:inbox in discovery predicates * remove use case specificity on authenticated webid Co-authored-by: Christoph Braun * Remove non-normative reference to Solid WebID Profile in comments * Update solid26.html Co-authored-by: Christoph Braun * chore: remove mention of profile shapes Co-authored-by: Christoph Braun * Tighten WebID term definitions in §3.1 Use "HTTP URI" for the WebID definition to match the normative section. Drop "Web resource" (not an established term) and the "Generally public / permissioned" hedging; state the auth property precisely where it matters. * Bound Extended Profile Document traversal in assembly algorithm Replace "transitively from the Preferences Document" recursion with an explicit, bounded traversal: one level from Extended Profile Documents linked directly off the WebID Document; no further traversal from Preferences-linked or Type-Index-linked documents. Introduce "discovery links" as a shorthand for rdfs:seeAlso / foaf:isPrimaryTopicOf / owl:sameAs and reuse it throughout §3.1.2 and §3.1.3. Add a note explaining why one level of traversal is needed when the WebID Document is not itself in Solid storage. * Drop 'publicly readable' qualifier in assembly step 1 Visibility of the WebID Document is covered in §3.1.2. Step 1 only needs to surface an error when retrieval fails. * Recommend an editable Extended Profile Document when WebID is not in Solid storage Address the case where the WebID Document itself cannot be modified by Solid clients: advise linking an Extended Profile Document in a Solid storage so clients have a writable attachment point for profile statements. * Require both text/turtle and application/ld+json for WebID Profile Document Align with Solid WebID Profile §3.1 Reading Profile, which extends WebID 1.0's Turtle-only requirement to include JSON-LD. * Refresh profile-editor list: drop PodBrowser, add dokieli PodBrowser is no longer actively maintained; dokieli is a widely-used reader/writer of agent profiles. * Clarify the predicate list ordering is advisory Make the reader/writer contract explicit: readers should accept any of the listed predicates as equivalent for a given field; writers typically commit to one. The stated order is a suggested preference and may vary by the ecosystem an application integrates with. * Drop unused [BIO] reference [BIO] was listed in §References but never cited in the document. * Surface error when WebID lacks solid:oidcIssuer A WebID without an oidcIssuer cannot authenticate via Solid-OIDC; clients should tell the user rather than failing opaquely further into the login flow. * Call out that missing Preferences/Type Index documents are not errors Not all WebIDs link a Preferences Document or Type Index documents; clients should skip their fetch silently rather than fail. * Use 'set union' in WebID Profile definition and assembly algorithm * Replace document-level self-describing filter with spec-aligned statement filter The earlier document-level 'self-describing' filter was a solid26-specific precaution not present in Solid WebID Profile. The current spec (§2 Discovery) states the profile is assembled by collecting statements with the WebID as subject or object. Drop the document-level filter; keep the statement-level filter and reword step 6 positively to match the spec. Also collapses §3.1.2 from two caveats to one (solid:oidcIssuer origin) and removes the now-obsolete step 4 in §3.1.3 — which means the 'switch steps 3 and 4' and 'explain step 4 better' colleague asks dissolve naturally. * Note the range of data-discovery mechanisms beyond the profile Client-side data discovery varies across the ecosystem; list the common mechanisms (Type Indexes, SAI, SPARQL / Quad Pattern Fragments endpoints, fixed paths under storage root, DCAT) without prescribing one. * Add §3.1.4 Security Considerations for solid:oidcIssuer protection Solid WebID Profile §Protected properties requires servers to protect solid:oidcIssuer triples, but no known Solid server implements this at time of publication; flag the implication for implementers in an informational subsection. * Remove references to WebID Profile SHACL shapes Drop the shape-validation note in §3.1.3, the profile-shapes.ttl reference and dagger markers in §4, and the companion 'not in the shape' annotation. Shape documentation belongs in the WebID Profile repo, not in this implementation guide. * Soften predicate-list framing to 'fallbacks to consider' Drop the SHOULD-accept-as-equivalent normative framing; present the list as optional fallbacks applications may consider. * Refresh predicate list from dokieli and SolidOS profile renderers Derive the fallback ordering from what dokieli and SolidOS profile-pane actually read: flip Name to foaf:name-first, broaden Avatar to the full dokieli chain, add social accounts, schema:hasOccupation, cco:skill, vcard:language, solid:preferredLanguage, schema:knows, vcard:url. Pull ActivityStreams and SIOC into the referenced vocabularies. * Drop section numbers from external spec references Per csarven (PR #781) and jeswr's agreement: section numbers in referenced specs are not reliable across snapshots. Keep link text as the section title only; internal cross-references within this document keep their numbers. * Language pass on §3.1 WebID: tighten prose, fix Implementors typo Remove duplicated and filler phrasing across §3.1: - Intro lists subsections (incl. new §3.1.4) without restating them. - Term-dl header: 'For the purposes of this section' dropped. - Fix 'Implementors Guide' typo in §3.1.1 heading. - Compact '?webid ?p ?o, where ?webid is the WebID and each ?iss is…' patterns to one statement-form with inline angle-bracket terms. - Drop '(e.g. a person)' filler. - Collapse 'MAY be hosted anywhere; it MAY, but need not, reside…' to single clause. - Tighten the Profile Document URI-resolution sentence, and several notes / algorithm steps that repeated 'Extended Profile Document' / 'Solid WebID Profile' within the same sentence. * Soften security-note framing and restore absent-link prose Use 'Not all Solid servers implement this protection' rather than 'No known Solid server', and restore the fuller wording about Preferences/Type Index documents being absent. * Replace numeric section refs with names; say 'set union of statements' Inline section names as link text instead of '§ 3.1.1' / '§ 3.1.3' style refs; reads naturally without relying on the TOC numbering. Both 'set union' occurrences now read 'set union of statements' to make the RDF-graph semantics explicit. * Drop the 'pinned specifications' framing Per csarven: framing certain specs as 'pinned' reads as gatekeeping and adds no value for the reader. Rephrase the §3.1 intro so requirements and common assumptions are stated as drawn from the Solid26 Implementation Guide specifications, and trim the §3.1.2 sub-bullet to 'These specifications do not preclude...'. * Extend WebID Profile definition to match algorithm sources The assembly algorithm unions statements from the Preferences Document and Type Index documents as well as Extended Profile Documents; the term definition now names all four sources. --------- Co-authored-by: Christoph Braun Co-authored-by: Christoph Braun --- solid26.html | 221 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 215 insertions(+), 6 deletions(-) diff --git a/solid26.html b/solid26.html index 5b235c9b..abf71a3f 100644 --- a/solid26.html +++ b/solid26.html @@ -295,14 +295,25 @@

    Table of Contents

  • 2.1 Solid Protocol
  • 2.2 Solid-OIDC
  • 2.3 Web Access Control
    • +
  • 2.4 WebID 1.0
    • +
  • 2.5 Solid WebID Profile

  • 3. Implementation Guidance

      -
    1. 3.1 WebID
      2. +
    2. +

      3.1 WebID

      +
        +
      1. 3.1.1 Requirements derivable from Solid26 Implementation Guide specifications
        2. +
      2. 3.1.2 Common assumptions not required by Solid26 Implementation Guide specifications
        3. +
      3. 3.1.3 Assembling the Profile
        4. +
      4. 3.1.4 Security Considerations
        5. +
      +
    • +

  • 4. Guidance for clients

  • References
    • @@ -359,7 +370,7 @@

    Solid Protocol

    The Solid Protocol (CG-DRAFT, v0.11.0, 2024-05-12) is included with the following comments:

    • -

      Clients might encounter Servers that do not support § 5.3.1 Modifying Resources Using N3 Patches despite it being required by the Solid Protocol. Clients can use Allow headers to determine if a Server supports HTTP PATCH requests.

      +

      Clients might encounter Servers that do not support Modifying Resources Using N3 Patches despite it being required by the Solid Protocol. Clients can use Allow headers to determine if a Server supports HTTP PATCH requests.

      If a server does not support HTTP PATCH requests, the client can HTTP GET the resource, apply the change locally, and then HTTP PUT the resource back. If the server supports ETag headers or Last-Modified headers, clients can achieve the concurrency-control behaviour of HTTP PATCH by issuing a conditional PUT. ETag-based validation is more precise than date-based validation and should be preferred when a server supports both, because Last-Modified has only one-second resolution and may not reflect sub-second changes.

      @@ -445,6 +456,23 @@

      Web Access Control

      +
      +

      WebID 1.0

      +
      +

      WebID 1.0 (W3C Editor's Draft, 5 March 2014) is included.

      +
      +
      + +
      +

      Solid WebID Profile

      +
      +

      The Solid WebID Profile (CG Draft Report, v1.0.0, 12 May 2024) is included with the following comments:

      + +
      +
      + @@ -455,15 +483,178 @@

      Implementation Guidance

      WebID

      -
      -

      Note

      -

      Work in progress: the content from the WebID guidance document is to be integrated into this section.

      -
      + +

      This section gives WebID implementation guidance for the Solid26 Implementation Guide. It covers requirements and common assumptions drawn from the Solid26 Implementation Guide specifications, a profile assembly algorithm, and security considerations. Client-side guidance is given separately.

      + +

      Terms used in this section:

      +
      +
      WebID
      +
      An HTTP URI that denotes an agent [WEBID], [SOLID-PROTOCOL].
      +
      WebID Profile Document
      +
      The document obtained by dereferencing a WebID.
      +
      Extended Profile Document
      +
      A further document linked from the WebID Profile Document that contains additional statements about the WebID; retrieval may require authentication.
      +
      Preferences Document
      +
      A document, linked from the agent's WebID Profile via pim:preferencesFile, that holds settings and pointers to private data; typically accessible only to the agent or a delegate.
      +
      WebID Profile
      +
      The RDF graph [RDF11-CONCEPTS] formed by the set union of statements drawn from the WebID Profile Document, any Extended Profile Documents, the Preferences Document, and the Type Index documents, assembled per the common assumptions below.
      +
      + +
      +

      Requirements derivable from Solid26 Implementation Guide specifications

      +
      +
        +
      1. + A WebID is an HTTP URI denoting an agent [WebID 1.0 § Terminology]. +
        2. +
      2. + The WebID Profile Document is obtained by dereferencing the WebID HTTP URI: for a WebID with a fragment (e.g. #me), the fragment-less URI identifies it; for a WebID without a fragment, an HTTP GET MUST return 303 See Other whose Location identifies it [WebID 1.0 § Terminology, § The WebID HTTP URI]. +
        3. +
      3. + A WebID Document MAY be hosted anywhere on the Web, in or out of Solid storage [WebID 1.0 § Publishing the WebID Profile Document]. +
          +
        • A Solid client can only modify a WebID Profile if the underlying document is in a Solid storage. When the WebID Document is not in a Solid storage, it is recommended to link at least one Extended Profile Document that is, so that clients can attach further profile statements by writing to it.
          • +
        +
        4. +
      4. + The WebID Profile Document MUST be available in text/turtle and application/ld+json [WebID 1.0 § Publishing the WebID Profile Document; Solid WebID Profile § Reading Profile]. +
        5. +
      5. + The WebID Profile MUST contain at least one statement <webid> solid:oidcIssuer <iss>, where <iss> is an OpenID Provider trusted to issue ID Tokens for the WebID [Solid-OIDC § OIDC Issuer Discovery]. +
        6. +
      6. + Solid storages owned by the agent MAY be advertised in the WebID Profile via <webid> pim:storage <storage> [Solid Protocol § Storage]. +
        7. +
      7. + An agent MAY advertise a Linked Data Notifications inbox via <webid> ldp:inbox <inbox>; other agents post notifications there [Solid WebID Profile § WebID Profile Data Model; Solid Protocol § Linked Data Notifications]. +
        8. +
      +
      +
      + +
      +

      Common assumptions not required by Solid26 Implementation Guide specifications

      +
      +
        +
      1. + The WebID Document is a public resource (i.e. an unauthenticated HTTP GET on the WebID URI returns the Profile) [WebID 1.0 § Processing the WebID Profile]. +
          +
        • These specifications do not preclude authenticated retrieval of a non-public WebID Document by a server acting as a client, though current server implementations generally do not support it.
          • +
        +
        2. +
      2. + The pim:storage statement in the WebID Profile is the only sound mechanism for discovering an agent's storages. The storageDescription Link header is not to be used for this purpose: a WebID Document hosted in a storage does not imply the WebID owns that storage [Solid Protocol § Privacy Considerations]. +
        3. +
      3. + The WebID Profile is assembled by collecting all statements that have the WebID as subject or object, drawn from the WebID Document and from any Extended Profile Document linked from it via rdfs:seeAlso, foaf:isPrimaryTopicOf, or owl:sameAs (collectively, discovery links) [Solid WebID Profile § Discovery; Solid WebID Profile § Extending a Profile; WebID 1.0 § Processing the WebID Profile]. Extended Profile Documents may require authenticated retrieval. One caveat applies: +
          +
        • solid:oidcIssuer is honoured only from the WebID Document; statements of the form ?webid solid:oidcIssuer ?iss in Extended Profile Documents are ignored.
          • +
        +
        4. +
      +
      +
      + +
      +

      Assembling the Profile

      +
      + +

      Per [Solid WebID Profile § Discovery], the full profile is the union of statements in:

      +
        +
      • the WebID Profile Document;
        • +
      • Extended Profile Documents directly linked from the WebID Document via discovery links, and Extended Profile Documents that those in turn link by discovery links;
        • +
      • the agent's Preferences Document (linked via pim:preferencesFile) and the Extended Profile Documents it links by discovery links;
        • +
      • the agent's public and private Type Index documents (linked via solid:publicTypeIndex and solid:privateTypeIndex).
        • +
      + +

      To assemble it:

      +
        +
      1. GET the WebID Document. If it cannot be retrieved, surface a clear error.
        2. +
      2. GET each linked document: Extended Profile Documents via discovery links, the Preferences Document via pim:preferencesFile, and Type Index documents via solid:publicTypeIndex/solid:privateTypeIndex. On 401/403 with a logged-in user, retry authenticated; Preferences and the private Type Index normally require authentication [Solid WebID Profile § Discovery, § Private Preferences]. If the WebID Document does not link a Preferences Document or Type Index documents, those fetches are skipped; their absence is not an error.
        3. +
      3. For each Extended Profile Document linked directly from the WebID Document, fetch the Extended Profile Documents it links via its discovery links. Do not traverse further: discovery links in the documents fetched by this step, in extended profiles discovered from the Preferences Document, and in Type Index documents are not followed. Use cycle detection so no document is fetched twice.
        4. +
      4. Form the set union of statements from the fetched documents, then drop every solid:oidcIssuer triple that did not originate in the WebID Document: that predicate is authoritative only when sourced there, mirroring the write protection in Solid WebID Profile § Updating Profile. Other discovery predicates (e.g. pim:storage, ldp:inbox) may legitimately appear in any of these documents.
        5. +
      5. Retain only statements that have the WebID as subject or object [Solid WebID Profile § Discovery].
        6. +
      + +
      +

      Note

      +

      When the WebID Document is not hosted in Solid storage, clients cannot add new discovery links to it. The one level of traversal from Extended Profile Documents in Solid storage lets a client attach further Extended Profile Documents (for example, at different access levels) via links it can write.

      +
      + +
      +
      + +
      +

      Security Considerations

      +
      +

      [Solid WebID Profile § Protected properties] requires servers hosting a WebID Document to protect solid:oidcIssuer triples from modification by non-owners. Not all Solid servers implement this protection; on a server that does not, any agent with write access to the document can modify the WebID's issuer.

      +
      +
      +
      +
      +

      Guidance for clients

      +
      + +

      This section targets clients acting on behalf of a single end user — reading and writing the user's data — as opposed to authorization agents, profile editors, or server-side resource servers. The recommended flow is:

      + +
        +
      1. +

        Obtain the user's WebID. Prompt for a WebID URI and validate that it is a well-formed http/https URI. Surface clear errors for malformed input, 404s, and responses that cannot be parsed as RDF.

        +
        2. +
      2. +

        Dereference the WebID. Issue an unauthenticated GET on the WebID URI. The 303 See Other redirect to the WebID Document is expected per the "Cool URIs for the Semantic Web" pattern, but other 3xx codes (301, 302, 307, 308) may also occur and must be handled.

        +
        3. +
      3. +

        Authenticate the user via their OpenID Provider. Read ?webid solid:oidcIssuer ?iss from the WebID Document. If no solid:oidcIssuer statement is present, surface a clear error: the WebID is not usable for Solid authentication. If more than one issuer is listed, let the user choose. Before initiating the Solid-OIDC login flow, fetch the issuer's OpenID Connect Discovery 1.0 configuration and verify that webid appears in scopes_supported [Solid-OIDC § OIDC Issuer Discovery, § OpenID Provider Conformance].

        +
        4. +
      4. +

        Build the WebID Profile graph by running Assembling the Profile (do not discover storages via the solid:storageDescription Link header).

        +
        5. +
      + +
      +

      Note

      +

      pim:storage may yield more than one value. When the application needs exactly one storage to write data into, prompt the user to choose rather than picking one silently.

      +
      + +
      +

      Note

      +

      The Solid WebID Profile [WEBID-PROFILE] does not standardise predicates for rendering an agent's identity. For empirical data on which predicates are actually populated across the ecosystem, implementers can consult solid-load-profile, which summarises predicate usage from a sample of live Solid profiles. The list below targets foaf:Person, vcard:Individual, and schema:Person, drawing from the predicates read by existing profile renderers including SolidOS/mashlib, PodOS, Penny, and dokieli. Vocabularies referenced: FOAF [FOAF], vCard [VCARD-RDF], Schema.org [SCHEMA-ORG], ActivityStreams, SIOC, Org, and Solid Terms.

      +

      The following is a list of fallback predicates that applications may wish to consider using when rendering a profile. The order given for each field is a suggested preference; other orderings may be more appropriate depending on the ecosystem the application integrates with.

      +
        +
      • Name: foaf:name, with fallbacks to schema:name, vcard:fn, as:name, or rdfs:label. For structured names: schema:givenName+schema:familyName, foaf:givenName+foaf:familyName, or vcard:given-name+vcard:family-name.
        • +
      • Short name / nickname: foaf:nick, with fallback to vcard:nickname.
        • +
      • Avatar / photo: vcard:hasPhoto, with fallbacks to as:image, as:icon, foaf:img, schema:image, vcard:photo, sioc:avatar, or foaf:depiction.
        • +
      • Email: vcard:hasEmail, with fallbacks to schema:email or foaf:mbox.
        • +
      • Telephone: vcard:hasTelephone.
        • +
      • Address: vcard:hasAddress (with vcard:country-name, vcard:locality on the value).
        • +
      • Description / bio: vcard:note, with fallback to schema:description.
        • +
      • Birthday: vcard:bday.
        • +
      • Organization & role: vcard:organization-name and vcard:role; for richer involvement, org:organization/org:member and org:role, or schema:hasOccupation.
        • +
      • Pronouns: solid:preferredSubjectPronoun, solid:preferredObjectPronoun, solid:preferredRelativePronoun.
        • +
      • Skills: schema:skills, with fallback to cco:skill.
        • +
      • Languages: vcard:language, with fallbacks to schema:knowsLanguage or solid:preferredLanguage.
        • +
      • Friends / contacts: foaf:knows, with fallback to schema:knows.
        • +
      • Profile colours: solid:profileHighlightColor, solid:profileBackgroundColor.
        • +
      • Homepage / web page: foaf:homepage, foaf:weblog, schema:url, or vcard:url.
        • +
      • Social accounts: foaf:account, with account nodes carrying foaf:accountName and foaf:userProfilePrefix.
        • +
      +

      None of these are guaranteed to be present; UIs should fall back to the WebID URI when no human-readable label is available.

      +
      + +
      +

      Note

      +

      Data discovery beyond the profile varies across the ecosystem. Mechanisms in active use include: Type Indexes; Solid Application Interoperability (SAI); SPARQL or Quad Pattern Fragments endpoints; fixed paths under the root of a storage; and DCAT catalogues. This guide does not prescribe a single mechanism.

      +
      + +
      +
      +

      References

      @@ -477,6 +668,24 @@

      References

      [WAC]
      Web Access Control. Sarven Capadisli. W3C Solid Community Group. 12 May 2024. Draft Community Group Report, Version 1.0.0. URL: https://solidproject.org/TR/2024/wac-20240512
      +
      [WEBID]
      +
      WebID 1.0. Andrei Sambra; Stéphane Corlosquet. W3C WebID Community Group. 5 March 2014. W3C Editor's Draft. URL: https://www.w3.org/2005/Incubator/webid/spec/identity/
      + +
      [WEBID-PROFILE]
      +
      Solid WebID Profile. Virginia Balseiro; Jeff Zucker; Sarven Capadisli (eds.). Tim Berners-Lee; Sarven Capadisli; Virginia Balseiro; Timea Turdean; Jeff Zucker (authors). W3C Solid Community Group. 12 May 2024. Draft Community Group Report, Version 1.0.0. URL: https://solid.github.io/webid-profile/
      + +
      [RDF11-CONCEPTS]
      +
      RDF 1.1 Concepts and Abstract Syntax. Richard Cyganiak; David Wood; Markus Lanthaler. W3C. 25 February 2014. W3C Recommendation. URL: https://www.w3.org/TR/rdf11-concepts/
      + +
      [FOAF]
      +
      FOAF Vocabulary Specification 0.99. Dan Brickley; Libby Miller. 14 January 2014. URL: http://xmlns.com/foaf/spec/
      + +
      [VCARD-RDF]
      +
      vCard Ontology - for describing People and Organizations. Renato Iannella; James McKinney. W3C. 22 May 2014. W3C Working Group Note. URL: https://www.w3.org/TR/vcard-rdf/
      + +
      [SCHEMA-ORG]
      +
      Schema.org. W3C Schema.org Community Group. URL: https://schema.org/
      +
      [BKY+24]
      AuthApp - Portable, Reusable Solid App for GDPR-Compliant Access Granting. From 6ec3f4346043fe6025091af756b3bd7f50c3ec39 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Fri, 24 Apr 2026 02:20:03 +0100 Subject: [PATCH 42/46] Trim ETag conditional-PUT section to a pointer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per @csarven (#776 thread on line 386): the full step-by-step flow and the strong/weak ETag footnote were replaying RFC 9110 rather than guiding. Collapse to one paragraph that states the problem, names the mechanism, and points at W3C Editing the Web and RFC 9110 § Validator Fields. --- solid26.html | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/solid26.html b/solid26.html index abf71a3f..cbd5a9f2 100644 --- a/solid26.html +++ b/solid26.html @@ -372,17 +372,7 @@

      Solid Protocol

    • Clients might encounter Servers that do not support Modifying Resources Using N3 Patches despite it being required by the Solid Protocol. Clients can use Allow headers to determine if a Server supports HTTP PATCH requests.

      -

      If a server does not support HTTP PATCH requests, the client can HTTP GET the resource, apply the change locally, and then HTTP PUT the resource back. If the server supports ETag headers or Last-Modified headers, clients can achieve the concurrency-control behaviour of HTTP PATCH by issuing a conditional PUT. ETag-based validation is more precise than date-based validation and should be preferred when a server supports both, because Last-Modified has only one-second resolution and may not reflect sub-second changes.

      - -

      The flow is:

      - -
        -
      • On GET, the server returns an ETag — an opaque validator identifying the current state of the resource (often derived from a content hash, but the exact derivation is up to the server). For example, imagine the server returns ETag: "xyzzy".
        • -
      • The client then makes a conditional PUT using the If-Match header: If-Match: "xyzzy". The server applies the PUT only if the resource's current ETag still matches "xyzzy"; otherwise it responds with 412 Precondition Failed. This guarantees the resource has not changed on the server between the GET and the PUT.
        • -
      • The equivalent using dates is If-Unmodified-Since paired with the Last-Modified value from the GET response. Note that If-Modified-Since is the header used for cache revalidation on GET, not for lost-update prevention on PUT.
        • -
      - -

      Note that If-Match uses strong comparison, so weak ETags (those prefixed with W/) will not match.

      +

      If a server does not support HTTP PATCH, a client can read-modify-write via GET then PUT. To avoid the lost-update problem [W3C — Editing the Web], issue the PUT conditionally with If-Match carrying the ETag returned from the GET; the server responds with 412 Precondition Failed if the resource has changed in the interim. If only Last-Modified is exposed, If-Unmodified-Since serves the same role, though its one-second resolution is coarser than ETag-based validation. See RFC 9110 § Validator Fields for the full mechanics.

    • From 9bfe0bf8ced08038d97f87df97ad6ef3eed33168 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Fri, 24 Apr 2026 02:24:55 +0100 Subject: [PATCH 43/46] Fix malformed HTML in Solid Protocol comments The third outer bullet had a

      that was never closed before an inner

        (invalid:

        cannot contain block-level content), and a trailing orphan

        after the outer
      . Close the paragraph before the list and drop the orphan. Addresses @TallTed (#776 thread on line 372). --- solid26.html | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/solid26.html b/solid26.html index cbd5a9f2..ed5d2a17 100644 --- a/solid26.html +++ b/solid26.html @@ -410,14 +410,14 @@

      Note

      An architectural separation between a Client executing application-specific logic and a Client executing authorization-related logic might be beneficial in terms of separation of concerns, maintainability, and re-usability of software components [BKY+24]. Such separation allows Clients to rely on an externally tested and verified Client already implementing of authorization-related logic. Such approach to modifying access control rules might rely on -
        -
      • access requests to update access control rules accordingly on a Server
        • -
      • issued by the application-logic Client
        • -
      • processed by a particular Client that is able and trusted to manage access controls (such as an access management or authorization application)
        • -
      +

      +
        +
      • access requests to update access control rules accordingly on a Server
        • +
      • issued by the application-logic Client
        • +
      • processed by a particular Client that is able and trusted to manage access controls (such as an access management or authorization application)
        • +
    -

    From 7be1a87207bf9c1ca85b01daccfcc4ccc4be15cc Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Fri, 24 Apr 2026 02:42:27 +0100 Subject: [PATCH 44/46] =?UTF-8?q?Add=20=C2=A75=20Security=20and=20Privacy?= =?UTF-8?q?=20Considerations?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Collect known security/privacy limitations across the pinned specs into a new top-level section with six subsections: - §5.1 WebID Profile Integrity (absorbs the former §3.1.4 on solid:oidcIssuer write-protection; adds WebID 1.0 §Security Considerations on profile-document integrity and the Solid-OIDC guidance that the RDF body is canonical for issuer discovery). - §5.2 Application Authorization (addresses @elf-pavlik #4276686814: WAC/ACP authorize agents not applications, Origin is not client identification, ACP Client-matcher limits). - §5.3 Access Control Leakage (WAC-documented leakage via Location, DELETE/PATCH status codes, lack of mandated audit trails). - §5.4 Personal Data in Access Control and Preferences (WAC PII transitive to acl:Control holders; Preferences Documents hold private data with protection delegated to WAC/ACP). - §5.5 Client Identity and Trust (Solid-OIDC §Out of Scope, §Client Secrets in browser SPAs). - §5.6 Profile and Storage Discoverability (Solid Protocol §Privacy Considerations; WebID 1.0 absence of privacy section). The new section explicitly notes it was drafted with generative-AI assistance to kickstart coverage and that community review is expected. Update §3.1 intro and TOC accordingly: §3.1.4 gone, new §5 + subsections added. --- solid26.html | 99 +++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 90 insertions(+), 9 deletions(-) diff --git a/solid26.html b/solid26.html index ed5d2a17..9b34d200 100644 --- a/solid26.html +++ b/solid26.html @@ -308,12 +308,22 @@

    Table of Contents

  • 3.1.1 Requirements derivable from Solid26 Implementation Guide specifications
  • 3.1.2 Common assumptions not required by Solid26 Implementation Guide specifications
  • 3.1.3 Assembling the Profile
    • -
  • 3.1.4 Security Considerations

  • 4. Guidance for clients

    • +
  • +

    5. Security and Privacy Considerations

    +
      +
    1. 5.1 WebID Profile Integrity
      2. +
    2. 5.2 Application Authorization
      3. +
    3. 5.3 Access Control Leakage
      4. +
    4. 5.4 Personal Data in Access Control and Preferences
      5. +
    5. 5.5 Client Identity and Trust
      6. +
    6. 5.6 Profile and Storage Discoverability
      7. +
    +
  • References
    • @@ -474,7 +484,7 @@

    Implementation Guidance

    WebID

    -

    This section gives WebID implementation guidance for the Solid26 Implementation Guide. It covers requirements and common assumptions drawn from the Solid26 Implementation Guide specifications, a profile assembly algorithm, and security considerations. Client-side guidance is given separately.

    +

    This section gives WebID implementation guidance for the Solid26 Implementation Guide. It covers requirements and common assumptions drawn from the Solid26 Implementation Guide specifications, and a profile assembly algorithm. Client-side guidance is in a separate section; known limitations are collected in Security and Privacy Considerations.

    Terms used in this section:

    @@ -574,13 +584,6 @@

    Note

    -
    -

    Security Considerations

    -
    -

    [Solid WebID Profile § Protected properties] requires servers hosting a WebID Document to protect solid:oidcIssuer triples from modification by non-owners. Not all Solid servers implement this protection; on a server that does not, any agent with write access to the document can modify the WebID's issuer.

    -
    -
    - @@ -645,6 +648,84 @@

    Note

    +
    +

    Security and Privacy Considerations

    +
    + +
    +

    Note

    +

    This section was drafted with the assistance of generative AI to kickstart coverage of known security and privacy limitations across the Solid26 Implementation Guide specifications. Community review and refinement is expected. Solid WebID Profile and the Access Control Policy draft do not include dedicated Security or Privacy Considerations sections in their current drafts; items sourced from them below are drawn from inline notes or absences.

    +
    + +

    This section collects known security and privacy limitations that implementers should be aware of when building against the specifications in this guide. Items below are sourced from the referenced specifications.

    + +
    +

    WebID Profile Integrity

    +
    +
      +
    • The meaning of a WebID depends on the integrity of its WebID Profile Document. DNS tampering, TLS interception, or unauthorised write access to the document subverts the WebID's semantics [WebID 1.0 § Security Considerations].
      • +
    • [Solid WebID Profile § Protected properties] requires servers hosting a WebID Document to protect solid:oidcIssuer triples from modification by non-owners. Not all Solid servers implement this protection; on a server that does not, any agent with write access to the document can modify the WebID's issuer.
      • +
    • When resolving solid:oidcIssuer during authentication, clients MUST treat the RDF body of the WebID Document as canonical rather than any Link header that purports to advertise the issuer; a mismatch between the two is a spoofing vector [Solid-OIDC § OIDC Issuer Discovery].
      • +
    +
    +
    + +
    +

    Application Authorization

    +
    +

    Web Access Control and Access Control Policy both authorize agents (identified by WebID), not the applications acting on their behalf. Once a user grants an agent access to a resource, any application operating under that agent's WebID inherits that access. Work in the Solid CG is exploring application-aware authorization:

    +
      +
    • WAC has no built-in mechanism to constrain access by application. Its Origin-based matching is explicitly not intended as client identification [WAC § Security and Privacy Review].
      • +
    • ACP can express application-aware rules via the Client matcher, but practical coverage in current implementations is limited (see this demonstration).
      • +
    • Ongoing CG proposals (e.g. conditional-grants extensions to WAC) aim to address these gaps but have not been incorporated into the pinned versions.
      • +
    +
    +
    + +
    +

    Access Control Leakage

    +
    +
      +
    • Append-only permissions can leak the existence of created resources via the Location or Content-Location header in POST responses, even when the requester lacks read access to the container [WAC § Privacy Considerations].
      • +
    • DELETE and PATCH status codes can reveal the existence of resources a requester cannot read — for example, a 404 vs. 403 distinction on a SPARQL DELETE DATA [WAC § Privacy Considerations].
      • +
    • WAC does not mandate audit trails or change notifications for ACL modifications; implementations are only encouraged to provide such accountability features [WAC § Security Considerations].
      • +
    +
    +
    + +
    +

    Personal Data in Access Control and Preferences

    +
    +
      +
    • Access-control resources and group resources can themselves carry personal data (for example, the WebIDs and group memberships of other agents). Any agent holding acl:Control on such a resource can read this data; consent to include someone in an ACL is effectively transitive to everyone with Control rights on it [WAC § Security and Privacy Review].
      • +
    • Preferences Documents are described as legitimate stores for private information, but the Solid WebID Profile draft delegates all protection to WAC/ACP without additional in-spec guidance [Solid WebID Profile § Reading Profile]. Implementers should treat Preferences as sensitive and ensure access controls are applied correctly at storage creation.
      • +
    +
    +
    + +
    +

    Client Identity and Trust

    +
    +
      +
    • Solid-OIDC does not define a mechanism for strongly-asserted client identity; Authorization Servers cannot reliably distinguish one ephemeral client from another, and are expected to treat anonymous clients with low-trust policies [Solid-OIDC § Out of Scope, § Client IDs].
      • +
    • Browser-based clients cannot safely hold client secrets. Confidential-client protections defined by OAuth 2.0 are therefore not available in typical single-page application deployments [Solid-OIDC § Client Secrets].
      • +
    +
    +
    + +
    +

    Profile and Storage Discoverability

    +
    +
      +
    • Information an agent might choose to omit from their WebID Profile (for example, pim:storage or ldp:inbox) may still be discoverable from other resources hosted in the same storage. Exclusion from the profile does not imply non-discoverability [Solid Protocol § Privacy Considerations].
      • +
    • WebID 1.0 does not include a Privacy Considerations section. Because WebID Profile Documents are typically publicly dereferenceable, profile enumeration and correlation across services are possible by default; deployments that wish to limit this must impose it through access control, not the specification.
      • +
    +
    +
    + +
    +
    +

    References

    From 0019a7402d4d7bd10eae02adc363b363a1f1e8ac Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Fri, 24 Apr 2026 02:48:57 +0100 Subject: [PATCH 45/46] =?UTF-8?q?Tighten=20=C2=A75=20Security=20and=20Priv?= =?UTF-8?q?acy=20to=20four=20core=20points?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previous draft had six subsections and fifteen bullets that were overkill for the guide's scale. Collapse to a single flat list of the four points implementers most need to know: - WebID integrity (solid:oidcIssuer server protection) - Authorization authorizes agents, not applications - Consent transitivity in access control - Client identity / no-secrets-in-SPA Drop the WAC leakage subsection, Preferences delegation bullet, profile-discoverability subsection, and the header-vs-body spoofing footnote — these are real but niche, and their spec citations give implementers a pointer if they need them. TOC simplified accordingly: §5 has no subsection entries. --- solid26.html | 85 +++++----------------------------------------------- 1 file changed, 8 insertions(+), 77 deletions(-) diff --git a/solid26.html b/solid26.html index 9b34d200..8208eed9 100644 --- a/solid26.html +++ b/solid26.html @@ -313,17 +313,7 @@

    Table of Contents

  • 4. Guidance for clients

    • -
  • -

    5. Security and Privacy Considerations

    -
      -
    1. 5.1 WebID Profile Integrity
      2. -
    2. 5.2 Application Authorization
      3. -
    3. 5.3 Access Control Leakage
      4. -
    4. 5.4 Personal Data in Access Control and Preferences
      5. -
    5. 5.5 Client Identity and Trust
      6. -
    6. 5.6 Profile and Storage Discoverability
      7. -
    -
    • +

  • 5. Security and Privacy Considerations

  • References
    • @@ -654,74 +644,15 @@

    Security and Privacy Considerations

    Note

    -

    This section was drafted with the assistance of generative AI to kickstart coverage of known security and privacy limitations across the Solid26 Implementation Guide specifications. Community review and refinement is expected. Solid WebID Profile and the Access Control Policy draft do not include dedicated Security or Privacy Considerations sections in their current drafts; items sourced from them below are drawn from inline notes or absences.

    +

    Drafted with generative-AI assistance to kickstart coverage; community review is expected.

    -

    This section collects known security and privacy limitations that implementers should be aware of when building against the specifications in this guide. Items below are sourced from the referenced specifications.

    - -
    -

    WebID Profile Integrity

    -
    -
      -
    • The meaning of a WebID depends on the integrity of its WebID Profile Document. DNS tampering, TLS interception, or unauthorised write access to the document subverts the WebID's semantics [WebID 1.0 § Security Considerations].
      • -
    • [Solid WebID Profile § Protected properties] requires servers hosting a WebID Document to protect solid:oidcIssuer triples from modification by non-owners. Not all Solid servers implement this protection; on a server that does not, any agent with write access to the document can modify the WebID's issuer.
      • -
    • When resolving solid:oidcIssuer during authentication, clients MUST treat the RDF body of the WebID Document as canonical rather than any Link header that purports to advertise the issuer; a mismatch between the two is a spoofing vector [Solid-OIDC § OIDC Issuer Discovery].
      • -
    -
    -
    - -
    -

    Application Authorization

    -
    -

    Web Access Control and Access Control Policy both authorize agents (identified by WebID), not the applications acting on their behalf. Once a user grants an agent access to a resource, any application operating under that agent's WebID inherits that access. Work in the Solid CG is exploring application-aware authorization:

    -
      -
    • WAC has no built-in mechanism to constrain access by application. Its Origin-based matching is explicitly not intended as client identification [WAC § Security and Privacy Review].
      • -
    • ACP can express application-aware rules via the Client matcher, but practical coverage in current implementations is limited (see this demonstration).
      • -
    • Ongoing CG proposals (e.g. conditional-grants extensions to WAC) aim to address these gaps but have not been incorporated into the pinned versions.
      • -
    -
    -
    - -
    -

    Access Control Leakage

    -
    -
      -
    • Append-only permissions can leak the existence of created resources via the Location or Content-Location header in POST responses, even when the requester lacks read access to the container [WAC § Privacy Considerations].
      • -
    • DELETE and PATCH status codes can reveal the existence of resources a requester cannot read — for example, a 404 vs. 403 distinction on a SPARQL DELETE DATA [WAC § Privacy Considerations].
      • -
    • WAC does not mandate audit trails or change notifications for ACL modifications; implementations are only encouraged to provide such accountability features [WAC § Security Considerations].
      • -
    -
    -
    - -
    -

    Personal Data in Access Control and Preferences

    -
    -
      -
    • Access-control resources and group resources can themselves carry personal data (for example, the WebIDs and group memberships of other agents). Any agent holding acl:Control on such a resource can read this data; consent to include someone in an ACL is effectively transitive to everyone with Control rights on it [WAC § Security and Privacy Review].
      • -
    • Preferences Documents are described as legitimate stores for private information, but the Solid WebID Profile draft delegates all protection to WAC/ACP without additional in-spec guidance [Solid WebID Profile § Reading Profile]. Implementers should treat Preferences as sensitive and ensure access controls are applied correctly at storage creation.
      • -
    -
    -
    - -
    -

    Client Identity and Trust

    -
    -
      -
    • Solid-OIDC does not define a mechanism for strongly-asserted client identity; Authorization Servers cannot reliably distinguish one ephemeral client from another, and are expected to treat anonymous clients with low-trust policies [Solid-OIDC § Out of Scope, § Client IDs].
      • -
    • Browser-based clients cannot safely hold client secrets. Confidential-client protections defined by OAuth 2.0 are therefore not available in typical single-page application deployments [Solid-OIDC § Client Secrets].
      • -
    -
    -
    - -
    -

    Profile and Storage Discoverability

    -
    -
      -
    • Information an agent might choose to omit from their WebID Profile (for example, pim:storage or ldp:inbox) may still be discoverable from other resources hosted in the same storage. Exclusion from the profile does not imply non-discoverability [Solid Protocol § Privacy Considerations].
      • -
    • WebID 1.0 does not include a Privacy Considerations section. Because WebID Profile Documents are typically publicly dereferenceable, profile enumeration and correlation across services are possible by default; deployments that wish to limit this must impose it through access control, not the specification.
      • -
    -
    -
    +
      +
    • WebID integrity. The meaning of a WebID depends on the integrity of its Profile Document. Solid WebID Profile § Protected properties requires servers to protect solid:oidcIssuer triples from non-owner modification; not all servers do, and on such a server any agent with write access to the document can change the issuer.
      • +
    • Authorization authorizes agents, not applications. WAC and ACP both grant access to the agent (WebID) behind a request. Any application acting as that agent inherits its access. WAC has no mechanism to constrain by application; ACP's Client matcher has limited practical coverage (demonstration). CG work on conditional grants is in progress.
      • +
    • Consent transitivity in access control. Access-control and group resources can themselves carry personal data. Any agent with acl:Control on such a resource can read that data; consent to include someone in an ACL is transitive to every Control holder [WAC § Security and Privacy Review].
      • +
    • Client identity. Solid-OIDC has no mechanism for strongly-asserted client identity, and browser-based clients cannot hold client secrets. Authorization Servers treat anonymous clients with low-trust policies; confidential-client protections are unavailable in typical SPA deployments [Solid-OIDC § Out of Scope, § Client Secrets].
      • +
    From dd2a271690ceb2a4cf7b22ce3ee6a3287435e145 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Sat, 25 Apr 2026 16:03:10 +0100 Subject: [PATCH 46/46] update text on protected WebID properties --- solid26.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solid26.html b/solid26.html index 8208eed9..99a3d789 100644 --- a/solid26.html +++ b/solid26.html @@ -648,7 +648,7 @@

    Note

      -
    • WebID integrity. The meaning of a WebID depends on the integrity of its Profile Document. Solid WebID Profile § Protected properties requires servers to protect solid:oidcIssuer triples from non-owner modification; not all servers do, and on such a server any agent with write access to the document can change the issuer.
      • +
    • Protected Properties in WebID Profile Documents. Servers are strongly encouraged to protect the § Protected properties in a Solid WebID Profile document such that non-owner agents with write access to the document cannot change the issuer.
    • Authorization authorizes agents, not applications. WAC and ACP both grant access to the agent (WebID) behind a request. Any application acting as that agent inherits its access. WAC has no mechanism to constrain by application; ACP's Client matcher has limited practical coverage (demonstration). CG work on conditional grants is in progress.
    • Consent transitivity in access control. Access-control and group resources can themselves carry personal data. Any agent with acl:Control on such a resource can read that data; consent to include someone in an ACL is transitive to every Control holder [WAC § Security and Privacy Review].
    • Client identity. Solid-OIDC has no mechanism for strongly-asserted client identity, and browser-based clients cannot hold client secrets. Authorization Servers treat anonymous clients with low-trust policies; confidential-client protections are unavailable in typical SPA deployments [Solid-OIDC § Out of Scope, § Client Secrets].