Agenda

Antitrust Policy

• #189 Closure. ICM Review the APIs which are targeting "stable" maturity in the Fall24 meta-release @Tanja de Groot 
  
  

• #193 Spring25 scope @Jesús Peña García-Oliva 
  - Next steps:
  - Should we start talking about the candidates to decide whether to include them in Spring25? Or do it after the M0 date and wait for more candidates until then?
  - Should we already include all ICM backlog labeled issues in the list of candidates for analysis, i.e. to decide if they will eventually be part of Spring25 scope?
  - Should we start working on PR Improve Access and User Consent document #182 and the rest of the documentation topics that seem to be needed for sure for Spring25?
  - New candidates requested:
  - #125 DPop @G. Murat Karabulut 
  - #145 Operator Token @Elisabeth Mueller 
  Want claimants to present their case?

• #194 Proposal to Mandate Use of Signed Authentication Requests for CIBA @Eric Murray 
  - Not concluded yet, it is already a candidate for Spring25, can continue the discussion offline

• #195 (fix W3C links) and PR #196 Maintenance release
  - Being discussed in Issue #93 of Release Management.

• #197 Replace Frontend Flow to unify consent collection and reduce latency @Chris Howell 

• #199 Clarification for authentication in the auth code flow in the Identity and consent management (r0.20.0-rc2) GSMA https://github.com/mingshiwork

• #200 Generalize documents by using "API provider" rather than "Telco Operator" @Tanja de Groot 

• Backlog cleanup:
  - Close #141
  - Close #126?
  - Close #174? @Elisabeth Mueller 

Minutes

Topic 1 - #189 Closure. ICM Review the APIs which are targeting "stable" maturity in the Fall24 meta-release @Tanja de Groot

• Jesús reported that all APIs targeting a stable version in the latest release have been reviewed. So ICM should be able to close this issue. However, no formal confirmation of this has been received from Release Management.

• Axel agreed, and the issue was closed after no objections were raised by the group.

Topic 2 - #193 Spring25 scope @Jesús Peña García-Oliva

• Should we start talking about the candidates to decide whether to include them in Spring25? Or do it after the M0 date and wait for more candidates until then?

  • The group agreed to wait until the end of the month (M0 milestone) before finalizing the candidate list. Issues should only be included if they are mature and supported.

• Should we already include all ICM backlog labeled issues in the list of candidates for analysis, i.e. to decide if they will eventually be part of Spring25 scope?

  • Jesús suggested creating a new label, "spring25-candidate", to identify issues requested for the next release, avoiding automatic inclusion of all backlog items. 

  • Axel and the group agreed to this approach to avoid unnecessary overhead and focus discussions on items with explicit interest. Jesús will create the label and encourage issue owners to request inclusion in the next release. → UPDATE (12/09): spring25-candidate label is now available.

• Should we start working on PR Improve Access and User Consent document #182 and the rest of the documentation topics that seem to be needed for sure for Spring25?

  • There are pending documentation issues, and Jesús suggested starting work on these topics. He proposed splitting @Chris Howell's pull request into smaller ones for easier review and approval.

  • Jesús will leave a comment for @Chris Howell to split the pull request into three: → UPDATE (12/09): done

    1. Terms and definitions

    2. Editorial changes

    3. Info description template

• New candidates requested:

  • The support for DPop (Issue #125) and the Operator Token (Issue #145) were discussed as candidates for the next release.

  • The group will review and discuss these requests at the end of the month after the M0 milestone.

  • Axel reminded participants that progress depends on active involvement. Members should not wait for meetings to make proposals or improvements but should create new pull requests or comment on existing ones to advance discussions.

  • Next Steps:

    • Await candidate suggestions until the M0 milestone at the end of the month.

    • Participants to submit pull requests and proposals for candidates to be included in Spring25.

Topic 3 - #194 Proposal to Mandate Use of Signed Authentication Requests for CIBA @Eric Murray

• Jesús updated the team on previous discussions about signing requests and mentioned that the issue is not yet closed.

• Jesús believes that TLS and private_key_jwt provide sufficient security, making signing requests unnecessary and adding complexity without significant benefit.

• Jesús suggested simplifying the implementation alternatives by supporting unsigned requests instead of signed ones, since he felt that the complexity added to the flows by the signed requests didn't provide enough security benefit.

• Axel comments that TLS provides some protection, but expresses concern that there is no further protection beyond the TLS endpoint.

• Discussion will continue offline.

Topic 4 - #195 (fix W3C links) and PR #196 Maintenance release

• Jesús raised the issue of broken references in the current release and the need to fix them through a maintenance release.

• There was a discussion about following release management guidelines, including creating a maintenance branch instead of merging into the main branch.

• Axel Nennker emphasized that there shouldn’t be an issue with merging the changes into the main branch since the changes are necessary and don’t conflict with existing work.

• Both Jesús and Axel agreed to wait for further guidelines from release management regarding naming conventions for new branches and how to proceed with maintenance releases. However, they concluded that it’s acceptable to merge the pull request into the main branch while waiting for further instructions.

• UPDATE (12/09): Release Management has provided a short-term solution: "as long as there is no other PR for a later version merged into main you can just create the patch release on main itself."

Topic 5 - #197 Replace Frontend Flow to unify consent collection and reduce latency @Chris Howell

• Since Chris is not on the call, this will need to be discussed offline.

• Jesús shares the privacy and security concerns raised in Fabio's issue comments about this solution.

• Jesús suggested that for the scenario described, the operator token (which is not an access token) combined with a flow like CIB would be a more appropriate solution. The operator token solution is based on standards and provides better privacy and security compared to using an implicit flow to obtain an ID token.

• Jesús suggested to stick with the standard solution based on Auth code flow and continue to work on the operator token solution as the preferred approach.

• Axel agreed that implicit flow presents security issues and should be avoided.

• Asked participants to express support if they find the proposed solution acceptable, otherwise suggested closing the issue if there is no feedback.

Topics 6 & 7 - New issues #199 & #200

• Discussed new issues that were opened, noting that the latest issue (200) is related to documentation and suggests using a more generic term like "API provider" instead of "telco operator" or "operator."

• Axel has created a pull request for the security and interoperability profile (partially fixing #200). Requested comments and review.

• Acknowledged that terms like "operator" need to be replaced and that this change will affect multiple documents.

• Suggested having separate pull requests for other documents to manage them better.

• Tanja will suggest the remaining necessary changes.

Topic 8 - Backlog cleanup:

• Issues #126, #141 and #174 have been closed.

Next meeting

2024-09-25 https://lists.camaraproject.org/calendar