From 5b3753a8afc36fce2dc02ca49ae2391eed7dbc0d Mon Sep 17 00:00:00 2001
From: Jesse Wright <63333554+jeswr@users.noreply.github.com>
Date: Sun, 26 Apr 2026 16:15:26 +0100
Subject: [PATCH 1/5] Placeholder access-control-language sections pending CG
 consensus
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a top-of-document warning banner and replaces the WAC/ACP
content in §2 with placeholders marked 'subject to discussion before
inclusion':

- §SOTD: warning banner pointing at the affected sections and #783.
- §2 specifications table: WAC version cell becomes 'Subject to
  discussion before inclusion'; new ACP row added with the same.
- TOC: §2.4 Access Control Policy added; WebID 1.0 and Solid WebID
  Profile renumbered to §2.5/2.6.
- §2.1 Solid Protocol commentary: WAC-encouragement bullet, the
  March 2026 survey note, and the architectural-separation bullet
  are removed and replaced with a one-line pointer to §2.3 / §2.4.
- §2.3 Web Access Control: content replaced with a 'subject to
  discussion before inclusion' warning, pointing at PR #783.
- §2.4 Access Control Policy (new): same placeholder structure.

Allows the wider Solid26 launch to proceed without holding on the
unresolved WAC/ACP wording. Once #783 reaches consensus, this
placeholder branch will be replaced with the agreed text.
---
 solid26.html | 75 ++++++++++++++++++++--------------------------------
 1 file changed, 29 insertions(+), 46 deletions(-)

diff --git a/solid26.html b/solid26.html
index 99a3d789..33406bdd 100644
--- a/solid26.html
+++ b/solid26.html
@@ -278,6 +278,10 @@ <h2 property="schema:name">Status of This Document</h2>
               <p>This document was published by the <a href="https://www.w3.org/groups/cg/solid/">W3C Solid Community Group</a>. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the <a href="https://www.w3.org/community/about/agreements/cla/">W3C Community Contributor License Agreement (CLA)</a> there is a limited opt-out and other conditions apply. Learn more about <a href="https://www.w3.org/community/">W3C Community and Business Groups</a>.</p>
               <p>This document is intended to provide implementation guidance for the Solid specifications collected in the Solid26 release. The content of this guide is informative and non-normative. It may be updated, replaced, or obsoleted by other documents at any time.</p>
               <p>Comments regarding this document are welcome. Please file issues on <a href="https://github.com/solid/specification/issues">GitHub</a>.</p>
+              <div class="warning">
+                <h4><span>Notice</span></h4>
+                <p>Some parts of this document are in the final stages of consensus building and are marked <strong>subject to discussion before inclusion</strong>. The currently affected sections are <a href="#web-access-control">§ Web Access Control</a> and <a href="#access-control-policy">§ Access Control Policy</a>; the access-control-language wording is being worked on in <a href="https://github.com/solid/specification/pull/783">PR #783</a> and will land here once consensus is reached.</p>
+              </div>
             </div>
           </section>
           <nav id="toc">
@@ -295,8 +299,9 @@ <h2>Table of Contents</h2>
                     <li class="tocline"><a class="tocxref" href="#solid-protocol"><bdi class="secno">2.1</bdi> <span>Solid Protocol</span></a></li>
                     <li class="tocline"><a class="tocxref" href="#solid-oidc"><bdi class="secno">2.2</bdi> <span>Solid-OIDC</span></a></li>
                     <li class="tocline"><a class="tocxref" href="#web-access-control"><bdi class="secno">2.3</bdi> <span>Web Access Control</span></a></li>
-                    <li class="tocline"><a class="tocxref" href="#webid-1"><bdi class="secno">2.4</bdi> <span>WebID 1.0</span></a></li>
-                    <li class="tocline"><a class="tocxref" href="#webid-profile"><bdi class="secno">2.5</bdi> <span>Solid WebID Profile</span></a></li>
+                    <li class="tocline"><a class="tocxref" href="#access-control-policy"><bdi class="secno">2.4</bdi> <span>Access Control Policy</span></a></li>
+                    <li class="tocline"><a class="tocxref" href="#webid-1"><bdi class="secno">2.5</bdi> <span>WebID 1.0</span></a></li>
+                    <li class="tocline"><a class="tocxref" href="#webid-profile"><bdi class="secno">2.6</bdi> <span>Solid WebID Profile</span></a></li>
                   </ol>
                 </li>
                 <li class="tocline">
@@ -358,9 +363,14 @@ <h2 property="schema:name">Specifications</h2>
                   </tr>
                   <tr>
                     <td><a href="https://solidproject.org/TR/2024/wac-20240512">Web Access Control</a></td>
-                    <td><a href="https://solidproject.org/TR/2024/wac-20240512">(CG-DRAFT, v1.0.0, 2024-05-12)</a></td>
+                    <td><em>Subject to discussion before inclusion</em></td>
                     <td><a href="#web-access-control">Link</a></td>
                   </tr>
+                  <tr>
+                    <td>Access Control Policy</td>
+                    <td><em>Subject to discussion before inclusion</em></td>
+                    <td><a href="#access-control-policy">Link</a></td>
+                  </tr>
                 </tbody>
               </table>
 
@@ -375,48 +385,8 @@ <h3>Solid Protocol</h3>
                       <p>If a server does not support HTTP <code>PATCH</code>, a client can read-modify-write via <code>GET</code> then <code>PUT</code>. To avoid the lost-update problem [<a href="https://www.w3.org/1999/04/Editing/">W3C &mdash; Editing the Web</a>], issue the <code>PUT</code> conditionally with <code>If-Match</code> carrying the <code>ETag</code> returned from the <code>GET</code>; the server responds with <code>412 Precondition Failed</code> if the resource has changed in the interim. If only <code>Last-Modified</code> is exposed, <code>If-Unmodified-Since</code> serves the same role, though its one-second resolution is coarser than <code>ETag</code>-based validation. See <a href="https://httpwg.org/specs/rfc9110.html#response.validator">RFC 9110 &sect; Validator Fields</a> for the full mechanics.</p>
                     </li>
                     <li>
-                      <p>
-                        Servers are strongly encouraged to implement Web Access Control (<a href="https://solidproject.org/TR/protocol#web-access-control">WAC</a>), see <a href="#web-access-control">below</a>. 
-                      </p>
-                      <div class="note" id="note-survey">
-                        <h4><span>Note</span></h4>
-                        <p>The <a href="https://lists.w3.org/Archives/Public/public-solid/2026Mar/0019.html">March 2026 implementation survey</a> yields the following <a href="https://github.com/w3c-cg/solid/blob/main/implementations/wac-acp.2026-04-01.csv">results</a> (<a href="https://web.archive.org/web/20260415092405/https://raw.githubusercontent.com/w3c-cg/solid/64d2c5383976b9e3a51f854576245dbb4bda1ce1/implementations/wac-acp.2026-04-01.csv">archived</a>):</p>
-                          <ul>
-                            <li>
-                              For WAC, the data shows 13 server-side implementations, deployment in 11 services, and 19 client-side implementations.
-                              WAC is considered the pragmatic, user-friendly, and extensible standard that effectively covers nearly all of the use cases from current Solid Apps. 
-                            </li>
-                            <li>
-                              For ACP, the data shows 4 server-side implementations, deployment in 1 service, and 4 client-side implementations. 
-                              ACP is considered an expressive and complex alternative that might be chosen to satisfy corresponding use-case specific requirements.
-                            </li>
-                          </ul>
-                          <p>The data shows that most clients implement only one access control language, despite the Solid Protocol requiring Clients to conform to both WAC and ACP.</p>
-                      </div>
-                      <p>
-                        In case WAC seems not to satisfy implementers' requirements, implementers are strongly encouraged to verify their understanding of the matter in community discussion by providing <a href="https://solidproject.org/TR/wac#document-feedback">feedback</a> to the community.
-                        If WAC is not able to satisfy the requirements, implementers might consider ACP or <a href="https://github.com/solid/authorization-panel/issues/121#issuecomment-4253548683">other suitable mechanisms</a> to achieve their goals.
-                        Client implementers are advised to consider that their Client implementation will not be able to interoperate with every conforming Server their Client might encounter.
-                      </p>
-                      </li>
-                      <li>
-                      <p>
-                        Some Clients might desire to update access control on particular resources, e.g., for sharing a user's data with another user or application.
-                        In such a case, Clients are strongly encouraged to rely on or make use of conforming implementations that are independently tested and verified, e.g., through open test suites and publicly documented implementation reports.
-                        Servers might only allow such tested and verified conformant Clients to modify access control rules.
-                      </p>
-                      <p>
-                        Implementers of Clients are advised to consider whether their Client implementation should actually attempt to modify access rules at all:
-                        An architectural separation between a Client executing application-specific logic and a Client executing authorization-related logic might be beneficial in terms of separation of concerns, maintainability, and re-usability of software components [<a href="#ref-authapp">BKY+24</a>].
-                        Such separation allows Clients to rely on an externally tested and verified Client already implementing of authorization-related logic.
-                        Such approach to modifying access control rules might rely on
-                      </p>
-                      <ul>
-                        <li>access requests to update access control rules accordingly on a Server</li>
-                        <li>issued by the application-logic Client</li>
-                        <li>processed by a particular Client that is able and trusted to manage access controls (such as an access management or authorization application)</li>
-                      </ul>
-                      </li>
+                      <p>The Solid Protocol's access-control requirements (Web Access Control and Access Control Policy) are <em>subject to discussion before inclusion</em>. See <a href="#web-access-control">§ Web Access Control</a> and <a href="#access-control-policy">§ Access Control Policy</a>.</p>
+                    </li>
                     </ul>
                 </div>
               </section>
@@ -442,8 +412,21 @@ <h4><span>EDITORS' Note</span></h4>
               <section id="web-access-control" inlist="" rel="schema:hasPart" resource="#web-access-control">
                 <h3>Web Access Control</h3>
                 <div datatype="rdf:HTML" property="schema:description">
-                  <p><a href="https://solidproject.org/TR/2024/wac-20240512">Web Access Control</a> (CG-DRAFT, v1.0.0, 2024-05-12) is included.</p>
+                  <div class="warning">
+                    <h4><span>Subject to discussion before inclusion</span></h4>
+                    <p>Inclusion and wording of <a href="https://solidproject.org/TR/2024/wac-20240512">Web Access Control</a> in this Implementation Guide is currently under CG discussion. The proposed text is being worked on in <a href="https://github.com/solid/specification/pull/783">PR #783</a> and will land here once consensus is reached.</p>
                   </div>
+                </div>
+              </section>
+
+              <section id="access-control-policy" inlist="" rel="schema:hasPart" resource="#access-control-policy">
+                <h3>Access Control Policy</h3>
+                <div datatype="rdf:HTML" property="schema:description">
+                  <div class="warning">
+                    <h4><span>Subject to discussion before inclusion</span></h4>
+                    <p>Inclusion and wording of <a href="https://solidproject.org/TR/2022/acp-20220518">Access Control Policy</a> in this Implementation Guide is currently under CG discussion. The proposed text is being worked on in <a href="https://github.com/solid/specification/pull/783">PR #783</a> and will land here once consensus is reached.</p>
+                  </div>
+                </div>
               </section>
 
               <section id="webid-1" inlist="" rel="schema:hasPart" resource="#webid-1">

From 14e199dfddbfa4da73a225a4b13ac477d876a5d7 Mon Sep 17 00:00:00 2001
From: Jesse Wright <63333554+jeswr@users.noreply.github.com>
Date: Sun, 26 Apr 2026 16:22:24 +0100
Subject: [PATCH 2/5] =?UTF-8?q?Restore=20the=20'Some=20Clients...'=20bulle?=
 =?UTF-8?q?t=20in=20=C2=A72.1=20Solid=20Protocol?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Keep the architectural-separation guidance for Clients managing
access controls; only the WAC/ACP-encouragement bullet and the
March 2026 survey note remain replaced by the placeholder.
---
 solid26.html | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/solid26.html b/solid26.html
index 33406bdd..6f280a76 100644
--- a/solid26.html
+++ b/solid26.html
@@ -387,6 +387,24 @@ <h3>Solid Protocol</h3>
                     <li>
                       <p>The Solid Protocol's access-control requirements (Web Access Control and Access Control Policy) are <em>subject to discussion before inclusion</em>. See <a href="#web-access-control">§ Web Access Control</a> and <a href="#access-control-policy">§ Access Control Policy</a>.</p>
                     </li>
+                    <li>
+                      <p>
+                        Some Clients might desire to update access control on particular resources, e.g., for sharing a user's data with another user or application.
+                        In such a case, Clients are strongly encouraged to rely on or make use of conforming implementations that are independently tested and verified, e.g., through open test suites and publicly documented implementation reports.
+                        Servers might only allow such tested and verified conformant Clients to modify access control rules.
+                      </p>
+                      <p>
+                        Implementers of Clients are advised to consider whether their Client implementation should actually attempt to modify access rules at all:
+                        An architectural separation between a Client executing application-specific logic and a Client executing authorization-related logic might be beneficial in terms of separation of concerns, maintainability, and re-usability of software components [<a href="#ref-authapp">BKY+24</a>].
+                        Such separation allows Clients to rely on an externally tested and verified Client already implementing of authorization-related logic.
+                        Such approach to modifying access control rules might rely on
+                      </p>
+                      <ul>
+                        <li>access requests to update access control rules accordingly on a Server</li>
+                        <li>issued by the application-logic Client</li>
+                        <li>processed by a particular Client that is able and trusted to manage access controls (such as an access management or authorization application)</li>
+                      </ul>
+                    </li>
                     </ul>
                 </div>
               </section>

From 03d2c29f58b87ae2d32aa50bc5035dde09a4c168 Mon Sep 17 00:00:00 2001
From: Jesse Wright <63333554+jeswr@users.noreply.github.com>
Date: Sun, 26 Apr 2026 16:22:57 +0100
Subject: [PATCH 3/5] =?UTF-8?q?Wrap=20=C2=A72.1=20WAC/ACP=20placeholder=20?=
 =?UTF-8?q?bullet=20in=20a=20warning=20box?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Visual consistency with the placeholders in §2.3 and §2.4.
---
 solid26.html | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/solid26.html b/solid26.html
index 6f280a76..3f030f59 100644
--- a/solid26.html
+++ b/solid26.html
@@ -385,7 +385,10 @@ <h3>Solid Protocol</h3>
                       <p>If a server does not support HTTP <code>PATCH</code>, a client can read-modify-write via <code>GET</code> then <code>PUT</code>. To avoid the lost-update problem [<a href="https://www.w3.org/1999/04/Editing/">W3C &mdash; Editing the Web</a>], issue the <code>PUT</code> conditionally with <code>If-Match</code> carrying the <code>ETag</code> returned from the <code>GET</code>; the server responds with <code>412 Precondition Failed</code> if the resource has changed in the interim. If only <code>Last-Modified</code> is exposed, <code>If-Unmodified-Since</code> serves the same role, though its one-second resolution is coarser than <code>ETag</code>-based validation. See <a href="https://httpwg.org/specs/rfc9110.html#response.validator">RFC 9110 &sect; Validator Fields</a> for the full mechanics.</p>
                     </li>
                     <li>
-                      <p>The Solid Protocol's access-control requirements (Web Access Control and Access Control Policy) are <em>subject to discussion before inclusion</em>. See <a href="#web-access-control">§ Web Access Control</a> and <a href="#access-control-policy">§ Access Control Policy</a>.</p>
+                      <div class="warning">
+                        <h4><span>Subject to discussion before inclusion</span></h4>
+                        <p>The Solid Protocol's access-control requirements (Web Access Control and Access Control Policy) are subject to discussion before inclusion. See <a href="#web-access-control">§ Web Access Control</a> and <a href="#access-control-policy">§ Access Control Policy</a>.</p>
+                      </div>
                     </li>
                     <li>
                       <p>

From fd5646075166c58bbd9d0933a175eeb3b0a12d71 Mon Sep 17 00:00:00 2001
From: Jesse Wright <63333554+jeswr@users.noreply.github.com>
Date: Sun, 26 Apr 2026 16:26:15 +0100
Subject: [PATCH 4/5] Switch placeholder boxes to .issue and broaden the banner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The W3C base stylesheet styles .note and .issue but not .warning, so
the previous placeholders rendered without a visual box. Switch all
four to class="issue".

Also broaden the top-of-doc banner: state explicitly that the whole
document is a draft so all parts may change, with the highlighted
'subject to discussion' sections (§Web Access Control and §Access
Control Policy) at primary risk.
---
 solid26.html | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/solid26.html b/solid26.html
index 3f030f59..c3b7a99e 100644
--- a/solid26.html
+++ b/solid26.html
@@ -278,9 +278,9 @@ <h2 property="schema:name">Status of This Document</h2>
               <p>This document was published by the <a href="https://www.w3.org/groups/cg/solid/">W3C Solid Community Group</a>. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the <a href="https://www.w3.org/community/about/agreements/cla/">W3C Community Contributor License Agreement (CLA)</a> there is a limited opt-out and other conditions apply. Learn more about <a href="https://www.w3.org/community/">W3C Community and Business Groups</a>.</p>
               <p>This document is intended to provide implementation guidance for the Solid specifications collected in the Solid26 release. The content of this guide is informative and non-normative. It may be updated, replaced, or obsoleted by other documents at any time.</p>
               <p>Comments regarding this document are welcome. Please file issues on <a href="https://github.com/solid/specification/issues">GitHub</a>.</p>
-              <div class="warning">
+              <div class="issue">
                 <h4><span>Notice</span></h4>
-                <p>Some parts of this document are in the final stages of consensus building and are marked <strong>subject to discussion before inclusion</strong>. The currently affected sections are <a href="#web-access-control">§ Web Access Control</a> and <a href="#access-control-policy">§ Access Control Policy</a>; the access-control-language wording is being worked on in <a href="https://github.com/solid/specification/pull/783">PR #783</a> and will land here once consensus is reached.</p>
+                <p>This document is currently a draft; all parts are subject to change. The pieces marked <strong>subject to discussion before inclusion</strong> are at primary risk: <a href="#web-access-control">§ Web Access Control</a> and <a href="#access-control-policy">§ Access Control Policy</a>. The access-control-language wording is being worked on in <a href="https://github.com/solid/specification/pull/783">PR #783</a> and will land here once consensus is reached.</p>
               </div>
             </div>
           </section>
@@ -385,7 +385,7 @@ <h3>Solid Protocol</h3>
                       <p>If a server does not support HTTP <code>PATCH</code>, a client can read-modify-write via <code>GET</code> then <code>PUT</code>. To avoid the lost-update problem [<a href="https://www.w3.org/1999/04/Editing/">W3C &mdash; Editing the Web</a>], issue the <code>PUT</code> conditionally with <code>If-Match</code> carrying the <code>ETag</code> returned from the <code>GET</code>; the server responds with <code>412 Precondition Failed</code> if the resource has changed in the interim. If only <code>Last-Modified</code> is exposed, <code>If-Unmodified-Since</code> serves the same role, though its one-second resolution is coarser than <code>ETag</code>-based validation. See <a href="https://httpwg.org/specs/rfc9110.html#response.validator">RFC 9110 &sect; Validator Fields</a> for the full mechanics.</p>
                     </li>
                     <li>
-                      <div class="warning">
+                      <div class="issue">
                         <h4><span>Subject to discussion before inclusion</span></h4>
                         <p>The Solid Protocol's access-control requirements (Web Access Control and Access Control Policy) are subject to discussion before inclusion. See <a href="#web-access-control">§ Web Access Control</a> and <a href="#access-control-policy">§ Access Control Policy</a>.</p>
                       </div>
@@ -433,7 +433,7 @@ <h4><span>EDITORS' Note</span></h4>
               <section id="web-access-control" inlist="" rel="schema:hasPart" resource="#web-access-control">
                 <h3>Web Access Control</h3>
                 <div datatype="rdf:HTML" property="schema:description">
-                  <div class="warning">
+                  <div class="issue">
                     <h4><span>Subject to discussion before inclusion</span></h4>
                     <p>Inclusion and wording of <a href="https://solidproject.org/TR/2024/wac-20240512">Web Access Control</a> in this Implementation Guide is currently under CG discussion. The proposed text is being worked on in <a href="https://github.com/solid/specification/pull/783">PR #783</a> and will land here once consensus is reached.</p>
                   </div>
@@ -443,7 +443,7 @@ <h4><span>Subject to discussion before inclusion</span></h4>
               <section id="access-control-policy" inlist="" rel="schema:hasPart" resource="#access-control-policy">
                 <h3>Access Control Policy</h3>
                 <div datatype="rdf:HTML" property="schema:description">
-                  <div class="warning">
+                  <div class="issue">
                     <h4><span>Subject to discussion before inclusion</span></h4>
                     <p>Inclusion and wording of <a href="https://solidproject.org/TR/2022/acp-20220518">Access Control Policy</a> in this Implementation Guide is currently under CG discussion. The proposed text is being worked on in <a href="https://github.com/solid/specification/pull/783">PR #783</a> and will land here once consensus is reached.</p>
                   </div>

From 0df85271957ace0cc454997f7efb2a6097c009bc Mon Sep 17 00:00:00 2001
From: Jesse Wright <63333554+jeswr@users.noreply.github.com>
Date: Sun, 26 Apr 2026 16:34:38 +0100
Subject: [PATCH 5/5] Link the ACP row in the specifications table to
 TR/2022/acp-20220518

---
 solid26.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solid26.html b/solid26.html
index c3b7a99e..c0bff750 100644
--- a/solid26.html
+++ b/solid26.html
@@ -367,7 +367,7 @@ <h2 property="schema:name">Specifications</h2>
                     <td><a href="#web-access-control">Link</a></td>
                   </tr>
                   <tr>
-                    <td>Access Control Policy</td>
+                    <td><a href="https://solidproject.org/TR/2022/acp-20220518">Access Control Policy</a></td>
                     <td><em>Subject to discussion before inclusion</em></td>
                     <td><a href="#access-control-policy">Link</a></td>
                   </tr>