reading of ACL resource should be reduced to requiring client to have Read rights.

[bblfish]

The ACL ontology states:

  acl:Control     a :Class;
         :comment "Allows read/write access to the ACL for the resource(s)";
         :label "control"@en;
         :subClassOf acl:Access .

This clearly gives read/write access to the controller. But that is different from disallowing read access to anyone else, which is what the removed text stated.

There are use cases for making ACLs readable in order to guarantee privacy of the client. There are ways to extend ACL so that ACLs become readable, see ACLs on ACLs, and this is also needed by ACP.
Having the default be as it currently is specified in WAC that ACLs be only visible to those who control them, when no other information is available, is a default choice that makes sense. But closing doors to valid use cases that would allow such extensions is not justifiable.

[bblfish]

To cover discoverability I would be fine with text such as the following:

In order to allow a client that has read access to an ACL to discover it, a server MUST place a Link: <...>; rel="acl" header in the response to the associated resource.

[gibsonf1]

My vote is also to have default behavior be that an acl is an acl of itself unless the acl has its own acl. (This is how our current acl algorithm is operating)

[bblfish]

@gibsonf1 I am in favor of having ACLs of ACLs and of an ACL being its own ACL :-) It would be useful to open a separate PR for that. I am not sure where though.

Here I am just proposing to remove 2 words that could make it seem like the behavior you have implemented was not legal.

[csarven]

Thanks for highlighting the problematic text and a clarification for it. Closing this PR as agreed in favour of #252