# W3C Solid Community Group: Weekly * Date: 2024-06-19T14:00:00Z * Call: https://meet.jit.si/solid-cg * Chat: https://matrix.to/#/#solid_specification:gitter.im * Repository: https://github.com/solid/specification * Status: Agenda ## Present * [Michiel de Jong](https://michielbdejong.com) * Sungpil Shin * [elf Pavlik](https://elf-pavlik.hackers4peace.net) * [Pierre-Antoine Champin](https://champin.net/#pa) * Jeff Zucker * Grace Elcock * Rahul Gupta * Maxime Lecoq-Gaillard ## Announcements * MLG has started to work on a spec on indexing within Solid which will present some conclusions of the research conducted with INRIA and Startin'Blox. ### Meeting Guidelines * [W3C Solid Community Group Calendar](https://www.w3.org/groups/cg/solid/calendar). * [W3C Solid Community Group Meeting Guidelines](https://github.com/w3c-cg/solid/blob/main/meetings/README.md). * No audio or video recording, or automated transcripts without consent. Meetings are transcribed and made public. If consent is withheld by anyone, recording/retention must not occur. * Join queue to talk. * Topics can be proposed at the bottom of the agenda to be discussed as time allows. Make it known if a topic is urgent or cannot be postponed. ### Participation and Code of Conduct * [Join the W3C Solid Community Group](https://www.w3.org/community/solid/join), [W3C Account Request](http://www.w3.org/accounts/request), [W3C Community Contributor License Agreement](https://www.w3.org/community/about/agreements/cla/). * [Solid Code of Conduct](https://github.com/solid/process/blob/main/code-of-conduct.md), [Positive Work Environment at W3C: Code of Ethics and Professional Conduct](https://www.w3.org/Consortium/cepc/) * Operating principle for effective participation is to allow access across disabilities, across country borders, and across time. Feedback on tooling and meeting timing is welcome. * If this is your first time, welcome! please introduce yourself. ### Scribes * Michiel ## Topics ### Heads up for next week topic focused on directories related works * eP: Yesterday we discussed with Jeff and Hadrian doing it next week * eP: Jeff is going to present his ongoing efforts * eP: Pavlik is going to present his more recent prototype https://elf-pavlik.github.io/solid-efforts/ * eP: We will discuss future plans and synergies between those two and other related efforts. * MdJ: So the main vulnerability is the link to the IDP * eP: I give that as an example * RG: maybe start a follow-up issue for the countermeasure * eP: I think I'll start a new PR to add a proposed countermeasure, and link them together * eP: Jeff, can this PR be merged? * Jeff: yes ### initial WebID Document considerations URL: https://github.com/solid/security-considerations/pull/9 * eP: This PR was created 2 weeks ago. Some things need a little more protection. There was a lot of discussion. Maybe only describe the attack, not the counter-measure. Ready to merge? ### Add advisement on applicability of security policy based on authentication state and resource semantics URL: https://github.com/solid/security-considerations/pull/8 * eP: I asked Sarven to give an example * eP: when you browse the storage as html, that will generally not be authenticated * PA: it might be risky to assume that authenticated requests can only occur with some form of JavaScript. In the future browser may include part of the mechanisms * MdJ: that already happens with basic auth and with cookies * MdJ: we're all guessing here what Sarven means, I asked him for an example, let's leave it at that * eP: Cookies have other problems, I'll create a separate issue about that ### Document attacks based on poorly secured discovery mechanism URL: https://github.com/solid/security-considerations/issues/12 * eP: if applications can attack the discovery mechanism, they can inject all sorts of things. * MdJ: isn't this a duplicate of the first topic? * eP: yes but it's an extension, more elaborate * Jeff: I would like to back up a bit. Any app that runs as user Jeff on my linux box can do anything it wants to files that are owned by user Jeff. How is that any different from Solid? * eP: I think it's very different, it's common with web applications that they are only authorized to something specific * MdJ: same on desktop, right? * eP: we should investigate how sandboxing works on desktop * PA: I have a few ideas about the issue, but not an export. Jeff, what you said is true, and this model has proved insufficient for non-technical users, that's why mobile devices are much more strict in sandboxing, and linux now also gets stricter sandboxing with things like snap and flatpack * MdJ: I agree, I think desktop is doing that more and more in the last 5 years or so * eP: we should in general follow the principle of least authority * PA: +1 * eP: in SAI, the users cannot even discover the existence of some data unless the user chose to reveal that. IMO Solid performs very poorly in that regard atm * RG: Solid apps are web apps, not like apps you installed. the security measures on the web have to be stricter than on desktop * MLG: maybe we shouldn't install malicious applications. It's a matter of trust. We could vet applications with the community (like an app store). * MdJ: Yes, but then still there is going to be some risk * eP: web apps, you don't install them, you browse to them. In SAI, you authorize the app. For the trust, we've been looking into OIDC federation which allows some signatures, and more like an app store. Myself I have a dual boot on my desktop, because I also don't trust all desktop apps. * Jeff: every document is potentially vulnerable to attack, not just the discovery documents. I understand the need and the push for security, we should not only focus just on that, also on the question of how we do make data available * eP: indeed, it's not black or white. we need to establish trust levels for different parts of the system. Authorization agent has a higher trust level, etc. * MLG: the videos from Inrupt encourage using multiple separate pods. That can help too * MdJ: yes, like Pavlik's dual boot * eP: yes, I also wrote that this morning ### BDD style and the importance of use cases * eP: if we define well the expected behavior of the system, we will be able to better evaluate proposals by seeing if what is being proposed leads to the expected behavior. * eP: behavior can include desired behavior as in regular use cases and and undesired behavior as in attacks from Security Considerations draft * eP: on the basis of use cases we can compare different proposals, like SAI vs type indexes, and maybe in half a year, have a decision * MdJ: We talked about it in previous meeting, this would work for a single team. We are more of a incubation space. Both SAI and type indexes are not going away and are allowed in the space * Jesse: I think both are great, but we should try to get more use case driven development * eP: +1 * eP: I want to respond to Michiel. It's good to have multiple proposals in an incubation space. But at some point for the interop we need to decide. We can provide two alternative mechanisms but only if we can explain the reason. Failing to agree feels unacceptable to me. * Jesse: +1 * Jeff: the majority of developers ignore both SAI and type indexes. A few of them use one or the other. "It's not a standard, it's not something I can depend on, why should I use it". The longer we are in that period of ambivalence, the worse it's going to be in the long run. If we're going to have client-to-client interop, we need to give that consideration. Placing all of this on the server is a different view * PA: And yet they use Solid * eP: I will start writing use cases that show the behaviour we're aiming for with SAI. * MdJ: I don't think there's a lack of arguments for why SAI is better than type indexes. Maybe we should acknowledge that different people use solid differently. There is a single storage protocol but it doesn't have fine grained access control. * eP: but how do app devs know which to choose? * MdJ: app devs just publish their apps and their data needs, the rest is out of scope for them * eP: but what about data discovery by the app * MdJ: just support both * eP: we should agree on one * MdJ: It is not just between SAI and type indexes. There are web nodes, IPFS, etc. as an app developer you may hope that there was a single way but thats not the reality * eP: PA? * PA: I don't have much help to give here. but some thoughts: this is not a WG. The CG charter doesn't require us to choose a single solution. For WGs it's a necessity to reach agreement. The goal of a CG is more incubation. but I feel your pain, I started to develop my own Solid apps, and it's difficult to choose what to do, what to support. There's this mantra of be strict in what you produce and accepting in what you accept, but this diversity is a pain, we should try ot reach a balance between healthy incubation and the proverbial basar * MdJ: If you look at the possible outcomes, if we need to decide between type indexes or SAI. If we choose one the other group would be sad. I don't think non of it is an option. I couldn't choose either one. * eP: that's why I talk about BDD, we should work harder at finding consensus. It shouldn't be personal. We need a way to objectively evaluate proposals without getting attached ot any one. * Jesse: +1 * PA: +1 * PA: Solid has a broad scope. There may be different ways for multiple things to exist. Some use cases may be too niche, and others more desirable. that's also how consensus works * eP: maybe we need to introduce different storage types. but at least there would be a good foundation to explain it. even if we don't achieve unification, we should at least have due diligence * Jeff: I agree with PA it's a broad ecosystem and it's premature to pick one authorization mechanism. But I want to come back to the point about clients and servers. Suppose we want to give developers the choice between SAI and type indexes. How is that implemented? Some IDPs produce webid documents that don't link to type indexes, and other don't link to SAI. We don't have a clear pathway there. I'm in favour of persuing both approaches. There are plenty of places where there are multiple ways of doing things, I don't think that's a weakness * eP: I think the spec should require what is in the webid doc. * MdJ: yes, that makes sense. * Jeff: My opinion would be that if there is a proposal that has reached the level of SAI and the type indexes, a number of people have worked on it, in the CG and with implementations, then it's the responsibility for those writing webid docs to take that into account. Rather than deciding for one or the other, I think we should make it a strong recommendation to webid providers to include certain things in the webid doc, and allow clients to create their own third option. There has to be a way for a client to experiment with that.