Good discussion. I see at least 3 topics in this thread and would like to give my comments for each:
1. About nonrepudiation
@A_A has a good point to utilize asymmetric encryption (eg. RSA) to prove the action is really came from Alice. Meanwhile, the same tactic can also be used for the origin question: It actually doesn’t matter who sends the request to update Bob’s photo POD, as long as the like has a valid signature, it should be added to Bob’s POD. Say Carl also liked Bob’s photo, he can generate a message:
m = f("like", <uri_photo>, <carl_private_key>). No matter m is sent by Alice or Carl or anybody else, Bob (or anyone else) can always verify with Carl’s public key to see if Carl really did that like. Therefore, Bob’s Acl:add permission for likers can always be public without complex permission control.
However, this requires an extra PKI system, which is not part of the existing ACL. So @alex.bourlier still needs his agent.
2. About ACL
As far as I read, it looks like ACL only focuses on document/containers. It forces developers to carefully design the hierarchies, decide what triple should be put to which path, introducing complex permission settings.
Solid/SemanticWeb is knowledge-based. I would say a knowledge-oriented access control would be more reasonable. This means no matter where the triple is placed, as long as it matches a certain SPARQL, it has the permission setting like Bala Bala… This would provide a lot of flexibility for developers to design their systems, merge RDF files, and manage accesses.
3. About multi-copy states
Agree with @jeffz. It’s the last thing you want to do to maintain one state in multiple places, especially with various access settings. Think about if the notification failed to sync, or Alice replaced her like with dislike in her own POD, or the system allows multiple likes… a lot of trouble would happen. Depended on system design, the like status can be stored in either Alice or Bob’s POD. Meanwhile, the other POD should only record the event (Alice, interacted, bob_photo) as a reference to the state POD. Whoever wants more details should go to the state POD for checking.