2022-02-02.md

W3C Solid Community Group: Solid Editors

• Date: 2022-02-02T14:00:00Z
• Call: https://meet.jit.si/solid-specification
• Chat: https://gitter.im/solid/specification
• Repository: https://github.com/solid/specification

Present

• Sarven Capadisli
• Justin Bingham
• Kjetil Kjernsmo
• Tim Berners-Lee

---

Announcements

Meeting Recordings and Transcripts

• No audio or video recording, or automated transcripts without consent. Meetings are transcribed and made public. If consent is withheld by anyone, recording/retention must not occur.
• Join queue to talk.

Participation and Code of Conduct

• Join the W3C Solid Community Group, W3C Account Request, W3C Community Contributor License Agreement
• Solid Code of Conduct, Positive Work Environment at W3C: Code of Ethics and Professional Conduct
• Operating principle for effective participation is to allow access across disabilities, across country borders, and across time. Feedback on tooling and meeting timing is welcome.
• If this is your first time, welcome! please introduce yourself.

Scribes

• Sarven Capadisli

Introductions

• name: text

---

Topics

Restriction to only respond to authorized with Allow et al

URL: #353

• SC: Minor: rebase PR.. just need to call if we're okay with Allow not touching authz. AFAIK, KK and I have the same view on this.
• KK: Distinction b/w Allow, WAC-Allow and Accept-* headers. My interpretation of HTTP is to not have Allow header touching authorization. TO make sure not to jump through hoops for an expensive operation.
• KK: Aaron's concern was exposing various Accept-* headers.
• JB: You can discover information about a resource that you shouldn't know. If you're not authenticated, what can you learn. That seems to be what Aaron and Emelia are concerned about. First can you know a resource exists or not. Brute forcing.. what can you learn. If something exists, what else can you learn about it. Conctainer or not. RDF or not. If we can directly answer those questions and A and E's satistfaction, the enumeration is reasonable then we are good.
• SC: Allow does not entail resource exists.
• JB: If true, security concern is not valid. Is this the right type of response expected by client eg. I'm not authorized give 4xx.
• KK: Aaron's comment was to hide if something is an RDF document. Initially it was about not having authnz requirement for that section.. then I changed the patch to authnz only for Accept-* but not Allow. After that he hasn't returned with concerns.
• KK: If we skip the Allow header then you can still guess and get a 405. Infer the same knowledge but with a great cost.