[bduerst]

I haven't dived into the specs, but how does solid solve bad actors getting access to your pod?

Usually today your data is fragmented across platforms (so damage is reduced) which have centralized authorities who can step in and fix bad actor issues.

[BaseballPhysics]

Honestly, I'm gonna be super lazy and just quote the front page of the site:

> Anyone or anything that accesses data in a Solid Pod uses a unique ID, authenticated by a decentralized extension of OpenID Connect. Solid's access control system uses these IDs to determine whether a person or application has access to a resource in a Pod.

Of course, as a data owner, you could accidentally grant a bad actor access to your data, but presumably you can also revoke that access as well.

[bduerst]

But that's just it though - if bad actors gain control, you lose the ability to reject OAuth creds (which is what OpenID is). Things like social engineering or phishing of credentials, which happens at scale today.

They need a way to handle situations when bad actors take over, because other solutions handle this with centralized authorities who step in and rectify the issue.

[BaseballPhysics]

I'm now confused by what you mean when you say "gain control".

Are you talking about literally exploiting a bug and hacking the underlying service that is providing access to the pod?

In that case, it's a question of who owns and operates the pod. Solid is conceived as a set of standards that can be implemented by either individuals, or by companies on behalf of individuals. Think "data ownership as a service".

So you can still have centralized entities that implement the spec and provide support and other services for users, including dealing with security incidents.