2025-06-19 TSC Minutes

Attendees & Representation

LF Staff:

Agenda

• Review and approval of previous meeting minutes

• Action Items Review

• General Topics

  • Governance & project management issues

  • API Backlog

  • Commonalities

  • Identity & Consent Management

  • Release Management

• Specific Topics

  • End User Council (EUC)

  • OWASP security guidelines

• Any Other Topics

Minutes

Review and approval of previous meeting minutes

• Minutes of previous TSC meeting: https://lf-camaraproject.atlassian.net/wiki/spaces/CAM/pages/130482251

  • No comments - approved

Action Item Review

• See home page Technical Steering Committee for current list of open action items

  • One ongoing issue, no updates

Governance & Project Management issues

• Results from votings started after previous TSC meeting:

  • Vote to approve the promotion of the Device Swap API Repository to the Incubation Lifecycle state: 9 votes, all “Approve”

  • Vote to approve the promotion of the Population Density Data API Repository to the Incubation Lifecycle state: 9 votes, all “Approve”

  • Congratulations to the the teams of Device Swap and Population Density Data!

  • Changes in Wiki and GitHub already done.

• https://github.com/camaraproject/Governance/issues/191

  • All README files within API repositories aligned with the current template (at least the first 15 lines)

  • Consistency of the README badge, descriptive text and wiki page link as well the validity of the wiki page link will be regularly checked via “Repository Overview” workflow (see next item). So: please don’t touch the first 15 lines

• https://github.com/camaraproject/Governance/issues/193

  • Repository created, currently used for:

    • workflow to create new (Sandbox) API Repositories

    • set of workflows which allows bulk changes across the repositories of CAMARA

    • reporting workflows to support the administration of repositories and releases

  • Open for new proposals - please raise an issue in the repository

API Backlog (@Jorge Garcia Hospital)

• No new APIs or proposals for this session.

• To update:

  • Incubation process voting results: see above. DeviceSwap is now an Incubating API Repository in Sub Project “Number Insights”, PopulationDensityData the first Incubating API Repository in new Sub Project “Population Density Data” (might be renamed if combined with further APIs in future).

  • Frozen API governance proposal review and approval: https://github.com/camaraproject/Governance/pull/190

Commonalities (@Rafal Artych @Pedro Díez García )

• Release Candidate

  • Release PR:

    • https://github.com/camaraproject/Commonalities/pull/478 MERGED. Generated a Follow Up PR to cover minor editorials (this branch was protected as containing release naming):

      • https://github.com/camaraproject/Commonalities/pull/487

      • Update 2025-06-20: PR #387 now merged and Commonalities r3.2 created

  • https://lf-camaraproject.atlassian.net/wiki/spaces/CAM/pages/132218881/Analysis+of+Commonalities+0.6.0-rc.1+changes#Analysis is a helpful documentation for API teams to check which changes are relevant for their APIs

• Event Notification Authentication evolution proposed by Ericsson

  • The discussion will continue as the issue (possibly https://github.com/camaraproject/Commonalities/issues/461 )

    Dedicated meeting with ICM WG members (having expertise in auth flows) should be considered.

  • @Axel Nennker ICM working group proposes to keep the work in Commonalities, ICM will observe and step in if ICM documents need to be change. Probably a placeholder issue in ICM.

• Tooling

  • https://github.com/camaraproject/tooling/issues/22

  • @Herbert Damker Can be done be copying and renaming an existing API, which has a relevant complexity

Identity & Consent Management (@Axel Nennker )

• https://github.com/camaraproject/IdentityAndConsentManagement/pull/295

  • Agreed to be merged (and done). Clarifications in PR #297 can follow later and go into public release

  • ICM r3.2 is created.

• New authentication flow that API Providers should implement!
  https://github.com/camaraproject/IdentityAndConsentManagement/pull/294

• TS.43 token flow descriptions in CIBA and JWT Bearer Flow

• ICM ConsentInfo with broad support by ICM WG participants extended the scope of the subproject. @Jesús Peña García-Oliva

  • @Jesús Peña García-Oliva Create an issue and PR to update the scope within the API proposal template in API Backlog working group

Release Management (@Tanja de Groot@Herbert Damker )

• M2

  • Release Candidate r3.2 · PR #295 · IdentityAndConsentManagement release PR ready to be merged ( – no impact on APIs beyond documentation

    • Update: https://github.com/camaraproject/IdentityAndConsentManagement/releases/tag/r3.2 available

  • Release 3.2 · PR #478 · Commonalities // Release 3.2 · PR #487 · Commonalities (FollowUp) - release PR ready to be merged

    • Update: https://github.com/camaraproject/Commonalities/releases/tag/r3.2 available

  • Actual merge delayed due to holiday to tomorrow or monday (update 2025-06-20: both releases are available)

  • TSC is requested to declare the M2 today

    • Decision: M2 for Fall25 meta-release is declared

• M3: https://lf-camaraproject.atlassian.net/wiki/x/FQApAg

  • First release-candidates (release PRs) of APIs - Jun 21 => moved by TSC decision to June 28th (Saturday next week).

    • TSC will review on July 3rd the status of available release PRs

  • API Sub Projects to merge all content PRs created separately from the release PR which should ONLY update the changelog, the version, the release assets, etc. as per Wiki guidelines.

  • 61 APIs proposed for the meta-release (numbers are not final as API repository teams can decided until M3 milestone to participate), thereof

    • 30 new APIs

    • 31 updated APIs, thereof 9 stable APIs (of which 2 first stable APIs)

    • 40 repositories

  • M3 review issue contains the detailed checklist for reviewers

  • “Admin PRs”: Automated changes have been gracefully enabled by Herbert in GitHub. API Sub Projects may need to merge such “admin PRs” generated to do updates impacting all APIs when possible. example: the update of the API-Readiness-Checklist with an additional row on the API description page (with update due at M4).

  • Call for additional reviewers - please join the Release Management meetings to offer your services!

Specific Topic

• End User Council (EUC) (@Nick Venezia )

  • Lot of confusion about how to get access to actual APIs and the way of onboarding

  • Creating a library of user journeys how to use the APIs

    • e.g. describing the different roles and responsibilities

    • e.g. which companies can help with onboarding

  • Re-engage people who where involved early and left later, getting feedback about where we can better

• OWASP security guidelines (@Kevin Smith )

  • The OWASP API Security project publishes an API Security Top 10 , describing key threats and mitigation solutions. These include vulnerabilities in the OAS YAML files that provide the API definition. Spectral have produced an OWASP API Security Ruleset which detects and logs these vulnerabilities, allowing the API codeowner to apply the appropriate fix. This follows a ‘Secure by design’ principle of ‘shift left’, meaning standard API definitions undergo a vulnerability check before they are passed to implementing publishers. The intention is to add this to the global linters in the Tooling repository, and to test against some sample API definitions, with the goals being (1) enhance API Design Guidelines to recommend appropriate OWASP principles, and (2) assess when such linting could be introduced to the meta-release lifecycle (post Fall 25)

Any Other Business

• none

Next Meeting

• Next TSC Meeting will be on July 3rd, at 9:00 UTC

• End User Council will be added to the regular TSC agenda on each 3rd Thursday of a month

• Specific agenda topics backlog:

  • OWASP security guidelines (@Rafal Artych@Kevin Smith ) - if there are more learning within CAMARA

Action items (from above)