Phase 1 of @csarven review on PR #783: tighten WAC/ACP framing

jeswr · jeswr · commit 7fb35b739f8b · 2026-04-26T13:09:45.000+01:00
WAC paragraph: - One-line opener: 'WAC is pragmatic, user-friendly, and extensible.' - Drop the monotonic-semantics explanation (item 5: not useful to implementers). - Reframe limitations as 'WAC 1.0 does not support deny or non-additive policy composition, application-aware matching beyond Origin, or issuer matching' (item 15: deliberate-design framing implicit; items 16/17: drop 'more expressive' / 'beyond WAC' rhetoric). - Keep WAC 1.1 ED signpost via the Wayback URL (will swap to TR snapshot once #784 merges). ACP paragraph: - One-line opener: 'ACP is expressive.' - Drop 'more expressive alternative' / 'suited to requirements beyond WAC' rhetoric; replace with concrete capabilities grounded in the ACP spec (acp:client, acp:issuer, acp:vc, acp:allOf/anyOf/noneOf). - Note ACP does not define its own access modes (per spec). - Add maintenance/test/no-S&P-section caveats (items 10/18).
diff --git a/solid26.html b/solid26.html
@@ -384,8 +384,8 @@ <h3>Solid Protocol</h3>
                       <p>
                         The Solid Protocol requires Servers to conform to Web Access Control (<a href="#web-access-control">WAC</a>), Access Control Policy (<a href="#access-control-policy">ACP</a>), or both, and requires Clients to conform to both. In practice, Clients typically conform to one. A Client that conforms to only one and needs to read or write access-control rules will not interoperate with a Server that implements only the language the Client does not support; Clients that do not interact with access-control rules are unaffected. Implementers choosing between the two should consider the requirements satisfied by each.
                       </p>
-                      <p>WAC is the simpler and extensible access-control language, covering the cases used by most current Solid applications. Its policies are RDF with monotonic semantics &mdash; adding or removing triples preserves the truth of existing grants. Optional <code>acl:origin</code> matching is not intended as client identification [<cite><a class="bibref" href="#ref-wac">WAC</a></cite> § <a href="https://solidproject.org/TR/2024/wac-20240512#security-privacy-review">Security and Privacy Review</a>]. WAC 1.0 (pinned here) does not express deny rules, application-aware matching beyond Origin, or conditional grants. Application-aware matching and conditional grants land as <code>acl:condition</code> in <a href="https://web.archive.org/web/20260425225256/https://solid.github.io/web-access-control-spec/">WAC 1.1 ED</a>, with no implementations known at the time of publication.</p>
-                      <p>ACP is the more expressive alternative, suited to requirements that go beyond what WAC can directly express. Policies can carry allow and deny rules in the same document with non-monotonic semantics, so a deny rule can override a prior allow. Subjects can additionally be identified by the <em>application</em> making the request via the <code>acp:client</code> matcher, and rules composed via <code>acp:allOf</code>, <code>acp:anyOf</code>, and <code>acp:noneOf</code>, supporting context-aware policies.</p>
+                      <p>WAC is pragmatic, user-friendly, and extensible. WAC 1.0 does not support deny or non-additive policy composition, application-aware matching beyond Origin, or issuer matching; application-aware matching, issuer matching, and other conditional grants land as <code>acl:condition</code> in <a href="https://web.archive.org/web/20260425225256/https://solid.github.io/web-access-control-spec/">WAC 1.1 ED</a>, with no implementations known at the time of publication.</p>
+                      <p>ACP is expressive. It supports allow and deny rules (deny overrides allow), application-aware (<code>acp:client</code>) and issuer (<code>acp:issuer</code>) matching, verifiable-credential matching (<code>acp:vc</code>), and policy composition via <code>acp:allOf</code> / <code>acp:anyOf</code> / <code>acp:noneOf</code>. ACP does not define its own access modes. The ACP draft has not been revised since 2022 and has no public test suite or Security and Privacy Considerations section.</p>
                       <div class="note" id="note-survey">
                         <h4><span>Note</span></h4>
                         <p>The <a href="https://lists.w3.org/Archives/Public/public-solid/2026Mar/0019.html">March 2026 implementation survey</a> (<a href="https://github.com/w3c-cg/solid/blob/main/implementations/wac-acp.2026-04-01.csv">data</a>, <a href="https://web.archive.org/web/20260415092405/https://raw.githubusercontent.com/w3c-cg/solid/64d2c5383976b9e3a51f854576245dbb4bda1ce1/implementations/wac-acp.2026-04-01.csv">archived</a>):</p>
