PROPOSED PUMPKIN Working Group Charter
DRAFT
This is a draft text, under development by the community. The goal is to, eventually, submit this draft charter proposal to an official W3C AC review.
Any text rendered like this refers to content that must be finalized before the charter is sent to AC review.
Any text rendered like this refers to content that must be updated when the final charter is published at the latest (e.g., adjusting hyperlinks).
The mission of the PUMPKIN Working Group (LINK TBD) is to enable the development of web applications where data storage, entity authentication, access control, and application provider are all loosely coupled, as opposed to the web of today where these are typically all tightly coupled and changing one requires changing all, sometimes at the price of all past data. This will be achieved by standardizing a protocol between client-side applications, on the one hand, and identity and storage providers, on the other hand.
This proposed charter is available on GitHub. Feel free to raise issues.
| Charter Status | See the group status page (LINK TBD) and detailed change history. |
|---|---|
| Start date | [yyyy-mm-dd] (date of the "Call for Participation", when the charter is approved) |
| End date | [yyyy-mm-dd] (Start date + 2 years) |
| Chairs | |
| Team Contacts | Pierre-Antoine Champin (0.1 FTE) |
| Meeting Schedule |
Teleconferences: 1-hour calls will be held bi-weekly
Face-to-face: we will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, usually no more than 3 per year. |
Note: The W3C Process Document requires “The level of confidentiality of the group's proceedings and deliverables”; however, it does not mandate where this appears. Since all W3C Working Groups should be chartered as public, this notice has been moved from the essentials table to the communication section.
Motivation and Background
It is common for web service providers to require users to surrender control over their own data, and store them in a way that is often restricted to certain systems, or can only be accessed by the applications that created them.
A number of initiatives — such as IndieWeb, Unhosted, and Solid — have emerged to propose alternative models for web applications. They are largely based on existing open web standards, which they extend to give priority to individual and group autonomy.
The W3C Solid Community Group has been incubating specifications since 2018 towards that end, i.e., "to describe the interoperability between different classes of products by using web communication protocols, global identifiers, authentication and authorization mechanisms, data formats and shapes, notifications, and query interfaces." It has regularly sought cross-fertilization with the aforementioned communities, among others (e.g., the Credentials Community Group (CCG), the Federated Identity Community Group, the Social Web Incubator Community Group, and the Web Platform Incubator Community Group (WICG)).
The broader Solid community has developed a suite of implementations, tools, and libraries for developers, as well as applications for users. Also see an explainer for more detailed description of the Solid approach.
Scope
The scope of the Working Group is to define a web protocol that applications can use to authenticate users and store their data with user-chosen identity and storage servers. Applications that use this protocol can more easily allow their users to exert and maintain authority over their data, identity, and privacy. This protocol will ensure interoperability between compliant user applications, and compliant storage and identity servers, thus giving users the freedom to select the applications and services that suit their needs.
Based on the user stories identified by the Solid project, potentially extended by Working Group participants, the Working Group will:
- Define a core web protocol specification for the secure and efficient operation of compliant servers and the behavior of compliant client-side applications interacting with those servers.
- Recommend a set of practices needed for data security for PUMPKIN storage, and for both server and client software, including use of appropriate authentication, authorization, access management life-cycle, verification, identity, and other standards, integrating existing outside efforts.
Out of Scope
The following features are out of scope, and will not be addressed by this Working group.
- Definition of a unique and exclusive solution for Personal Data Stores
- Definition of new identity mechanisms
- Definition of new data formats
Deliverables
Updated document status is available on the group publication status page (LINK TBD).
Normative Specifications
The Working Group will deliver the following W3C normative specifications:
- PUMPKIN Protocol v1.0
-
The PUMPKIN Protocol specification aims to provide applications with secure and permissioned access to externally stored data in an interoperable way.
The PUMPKIN Protocol may include protocol details for integration with identity layers and mechanisms; access management and data integrity; notifications about resource changes; and authorization mechanisms.
Input documents:
- Solid Protocol, latest published version (0.10.0) or Editor's Draft, adopted from W3C Solid Community Group. “An overarching design goal of the Solid ecosystem is to be evolvable and to provide fundamental affordances for decentralized web applications for information exchange in a way that is secure and privacy respecting. In this environment, actors allocate identifiers for their content, shape and store data where they have access to, set access controls, and use preferred applications and services [...].”
- Fedora API Specification 1.0. While addressing different use-cases, the Fedora API has a similar technical design as the Solid protocol. It can therefore serve as a useful point of comparison.
The Working Group will consider other input, in addition to these specifications, if it deems that input to be within the scope of its charter and relevant to the goals of its deliverables.
All specifications, regardless of their progress along the W3C Process line from First Public Working Draft to Recommendation, will indicate their version using the Semantic Versioning scheme. The required versions of each dependency will be given in each specification.
Dependencies
The draft of the PUMPKIN Protocol proposed for adoption has a number of normative dependencies with maturity levels insufficient for a recommendation (e.g., Community Group reports, Editor's Drafts). To allow the PUMPKIN Protocol v1.0 to progress on the Recommendation track, the Working Group will need to decide how to deal with these dependencies. This may include downgrading some of these dependencies to non-normative references; specifying the required parts in the PUMPKIN Protocol itself; and/or relying on other specifications to fulfill the same purpose.
Depending on the Working Group progress, including consideration for adequate implementation experience, the Group may also decide to adopt the following dependencies as input documents:
- WebID
- A simple universal identification mechanism that is distributed, openly extensible, improves privacy, security and control over how each person can identify themselves in order to allow fine grained access control to their information on the web. Latest development at w3c/WebID.
- Solid-OpenID
- Allows entities to authenticate within the Solid ecosystem.
- Web Access Control
- Web Access Control (WAC) is a decentralized cross-domain access control system providing a way for Linked Data systems to set authorization conditions on HTTP resources using the Access Control List (ACL) model.
- Access Control Policy
- Access Control Policy (ACP) is a language for describing, controlling, and granting access to resources.
- Solid Notifications Protocol
- Linked Data-based protocol for sending notification to client application upon updates to resources in the Solid ecosystem while respecting resource-based access controls and privacy.
Adding new Recommendation-track deliverables
If additional in-scope Recommendation-track deliverables need to be added to the Charter before the Charter expires, the Working Group will propose an updated Charter that differs only in deliverables.
The Working Group will adopt proposals that fulfill the requirements of W3C Recommendation Track Readiness. In particular, the Working Group will only adopt proposals it deems sufficiently mature. Proposals can be made to the Working Group through W3C Community Groups or another similar incubation phase.
Other Deliverables
Other non-normative documents may be created such as:
- Test Suite and Implementation Report
-
The Working Group will develop a test suite and implementation report to test and document conformance levels achieved by implementers.
Timeline
| Note: The group will document significant changes from this initial schedule on the group home page. | ||||
| Specification | FPWD | CR | PR | Rec |
|---|---|---|---|---|
| PUMPKIN Protocol | START + 6M | START + 18M | START + 21M | START + 24M |
Success Criteria
In order to advance to Proposed Recommendation, each normative specification is expected to have at least two independent interoperable implementations of every feature defined in the specification, where interoperability can be verified by passing open test suites, and two or more implementations interoperating with each other. In order to advance to Proposed Recommendation, each normative specification must have an open test suite of every feature defined in the specification.
There should be testing plans for each specification, starting from the earliest drafts.
To promote interoperability, the group will document testing policies, processes, and procedures, taking Solid QA as an input.
Each specification should contain sections detailing all known security and privacy implications for implementers, web authors, and end users.
Each specification should contain a section on accessibility that describes the benefits and impacts, including ways specification features can be used to address them, and recommendations for maximizing accessibility in implementations.
This Working Group expects to follow the TAG Web Platform Design Principles.
Coordination
For all specifications, this Working Group will seek horizontal review for accessibility, internationalization, privacy, and security with the relevant Working and Interest Groups, and with the TAG. Invitation for review must be issued during each major standards-track document transition, including FPWD. The Working Group is encouraged to engage collaboratively with the horizontal review groups throughout development of each specification. The Working Group is advised to seek a review at least 3 months before first entering CR and is encouraged to proactively notify the horizontal review groups when major changes occur in a specification following a review.
Additional technical coordination with the following Groups will be made, per the W3C Process Document:
W3C Groups
- Credentials Community Group
- To explore and report on the application of creating, storing, presenting, verifying, and user control of credentials in the context of PUMPKIN Protocol.
- Decentralized Identifier Working Group
- To investigate whether existing DID methods should be adopted by the PUMPKIN Protocol (and related technical reports), and to advance an understanding of whether a specific DID method is needed.
- LDP Next Community Group
- To transfer applicable design decisions and implementation experience towards the PUMKIN Protocol, and report back on components that can be adopted.
- Notation 3 (N3) Community Group
- To investigate the possibility of transferring PUMKIN Protocol's N3 Patch to the N3 Community Group where its standardization development can continue with broader applicability.
- RDF-star Working Group
- To reuse and report on recent extensions to RDF and SPARQL that can be incorporated with upstream specifications like the PUMPKIN Protocol.
- Social Web Incubator Community Group
- To continue with the development of a shared understanding between Linked Data(-compatible) specifications and their reuse, e.g., ActivityPub, AS2, LDN.
- Solid Community Group
- To maintain a separation of goals and transfer of incubated work items.
- Unhosted Web Community Group
- To explore the overlaps (e.g., CORS, user-centric storage, JSON-LD container descriptions) and differences (e.g., OAuth instead of WAC/ACP) between the PUMPKIN Protocol draft and their work on remoteStorage.
- Verifiable Credentials Working Group
- To inquire on the suitability of credential data models and serializations, and their potential integration with the PUMPKIN Protocol.
- WebID Community Group
- To provide integration feedback on the use of WebIDs in PUMPKIN Protocol (and related technical reports) in order to stabilize the fundamental notions and behaviors.
- Web Authentication Working Group
- To ensure that Web Authentication primitives align with PUMPKIN principles and aims, as well as investigate areas to bridge with the WebAuthn API to improve user's privacy and consent.
- Web Platform Incubator Community Group
- To further develop a mutual understanding of how the federated credential management API and PUMPKIN can align better.
- Web of Things Working Group
- To investigate the suitability of PUMPKIN Protocol in the context of IoT platforms and application domains, and ways to improve their integration.
External Organizations
- IETF HTTP Working Group
- To ensure that the PUMPKIN Protocol is following best practices, in particular BCP 56: Building Protocols with HTTP.
- OpenID Connect Work Group
- Coordination on specifications related to OpenID Connect (OIDC).
Participation
To be successful, this Working Group is expected to have 6 or more active participants for its duration, including representatives from the key implementers of this specification, and active Editors and Test Leads for each specification. The Chairs, specification Editors, and Test Leads are expected to contribute half of a working day per week towards the Working Group. There is no minimum requirement for other Participants.
The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.
The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy.
Participants in the group are required (by the W3C Process) to follow the W3C Code of Ethics and Professional Conduct.
Communication
Technical discussions for this Working Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. The meetings themselves are not open to public participation, however.
Information about the group (including details about deliverables, issues, actions, status, participants, and meetings) will be available from the PUMPKIN Working Group home page (LINK TBD).
Most PUMPKIN Working Group teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis.
This group primarily conducts its technical work: on the public mailing list public-solid-wg@w3.org (LINK TBD) (archive (LINK TBD)) or on GitHub issues (LINK TBD). The public is invited to review, discuss and contribute to this work.
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
Decision Policy
This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 5.2.1, Consensus). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.
However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (for example, via email, GitHub issue or web-based survey), with a response period from five to ten working days, depending on the chair's evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.
All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs.
This charter is written in accordance with the W3C Process Document (Section 5.2.3, Deciding by Vote) and includes no voting procedures beyond what the Process Document requires.
Patent Policy
This Working Group operates under the W3C Patent Policy (Version of 15 September 2020). To promote the widest adoption of web standards, W3C seeks to issue web specifications that can be implemented, according to this policy, on a Royalty-Free basis. For more information about disclosure obligations for this group, please see the licensing information (LINK TBD).
Licensing
This Working Group will use the W3C Software and Document license for all its deliverables.
About this Charter
This charter has been created according to section 3.4 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Charter History
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 4.3, Advisory Committee Review of a Charter):
| Charter Period | Start Date | End Date | Changes |
|---|---|---|---|
| Initial Charter | [yyyy-mm-dd] | [yyyy-mm-dd] | none |