Meetings 2026

Date: 2026-04-28 11:00 CEST

Agenda

• STA work status update
• Spec work and IETF interim meeting
• AOB

Present

• Julian Koberg
• Micke Nordin
• Richard Freitag
• Enrique P. Arnaud
• Giuseppe Lo Presti

Minutes

• STA work:
  • Enrique and Micke reported that the exchange-token PR is eventually passing all tests. Micke contacted Nextcloud for review and final merge.
  • Webapp is due to start next week, Giuseppe will circulate his proposal for the spec as soon as possible
• IETF Interim
  • The other relevant topic was Notifications: Giuseppe will circulate the proposal to evolve the spec, current implementations in Nextcloud and oCIS are incompatible (and both have issues). Julian available to commit resources to adapt oCIS.
• MLS over OCM proposal, Micke
  • In a nutshell, the proposal is to use OCM Notifications to encapsulate the MLS protocol for groups
  • Member removal: we may need to re-encrypt the shared data. Q: Can we revoke the key somehow?
    • Access control is delegated to "servers honestly discarding superseded keys", not on cryptography
  • Agreed to discuss this over the mailing list, and/or in a follow-up meeting

Date: 2026-04-14 11:00 CEST

Present

• Julian Koberg
• Yul Bahat
• Micke Nordin
• Richard Freitag

Minutes

Presentations by Micke Nordin Micke presented 6 topics during the meeting, as preparation for the IETF Interim Session: a. Architecture Discussion for Webapps

• Webapp to present a resource alongside the resource itself
• Example: Jupyter Notebook over OCM
• Resources shared via WebDAV
• Webapp sharing options: Inside an iframe with correct CSP/CSRF headers, Open in a new window
• Credentials passed outside the URL using POST with form-encoded parameters b. Journaling
• Discussed journaling features and their implementation c. Request for Share
• Addressed the process and requirements for resource sharing d. Advertisement of Resources
• Explored methods to advertise resources effectively e. Federated Group Management
• Proposed as a separate internet draft
• Utilizes MLS (Message Layer Security):
  • Reuse MLS to maintain group state between epochs
  • All members of a federated group can derive a common group key
  • Enables encrypted private messages
  • Introduces an encrypted share type: Wrapped encrypted key to access resources (e.g., WebDAV) f. Notifications
• Standardized notifications:
  • Currently, only Nextcloud has good implementations
  • Kiteworks also provides notification endpoints
  • Sending instance can inform receiving instance of changes
  • Notifications are still underspecified and require further work (STA work)
• Next Steps: Notification work to continue after the interim meeting

Licensing A question was asked about potential licensing issues in the webapp specification

• Use of access tokens to access documents
• Count access for users accessing resources
• Outsourcing licensing to software vendors
• Explicitly state licensing requirements

Security

• View Mode: View-only/read-only access
• Webapps: Discussion on where the apps are running
• Kiteworks Security Review: Security audit expected as a deliverable
• For IETF specifications:
  • Include security considerations
  • Provide guidance on risks and mitigation strategies
  • Identify potential fixes for the specification
  • Kiteworks to deliver their report soon
  • Specification should explicitly address:
    • Risks that cannot be prevented
    • Possibility of rogue admins
  • Mitigation: Governance strategies to address risks

Action Items and Next Steps

• Continue work on standardized notifications after the interim meeting
• Await Kiteworks' security review report
• Follow up with Barend Mons for feedback
• Address underspecified areas in notifications and licensing

References and Links

• Interim Meeting Session
• OCM-API Meetings 2026 Wiki
• OCM-API Issue #350

Date: 2026-03-31 11:00 CEST

Present

• Giuseppe Lo Presti
• Micke Nordin
• Julian Koberg
• Mahdi Baghbani - Offline, but report via PR
• Rasmus Welander
• Richard Freitag

Minutes

• STA work status update
  • M6 was claimed by Mahdi, can be easily integrated in ownCLoud and OpenCloud, not only CERNBox reva.
  • Mahdi is working on integrating this into Enriques work on Nextcloud, hopefully finalized next week.
• Spec work - PR:s
  • Clarify code flow sender and receiver semantics <- Cleanup/clarification
    • This is not controversial in anyway and can be merged. token-exchange vs exchange-token, should we use must-exchange-token as criteria instead? This would align with mfa.
  • Journaling <- New feature
    • To be decided in the next IETF interim meeting, come there and discuss.
  • ResourceDiscovery <- New feature
    • Incorporates FAIR principles that are also machine actionable, also provide an alternative to dataspaces. To be decided in the next IETF interim meeting, come there and discuss.
  • RequestShare <- New feature
    • To be decided in the next IETF interim meeting, come there and discuss. Spamming could be an issue here.
• Spec work - ISSUES:s
  • WebApp - Micke
    • Micke has a similiar report as Mahdi, will send a pr for this.
  • Notifications - Mahdi
  • Federation Sharing
    • Maybe leave this quite open in the core specification, and leave the possibility to do MLS over OCM in a future I-D, possibly needs a recharter of the working group.
• CS3 workshop / IETF Meeting / ISGC Symposium debrief
  • Digital Sovereignty was a big topic in CS3. Richard met Barend Mons who expressed interest in OCM. We should invite him to discuss resource discovery. Micke held a Hot-Rfc talk at IETF 125, we should also keep an eye on canonical jscontact uri, which could be interesting for invitations in OCM.
• Security review
  • ownCloud has offered to do this. We should probably also as CERN security team that has offered also, so maybe do both.
• OCM hexagon stickers were printed along with CS3 stickers. We should give the current logo to IETF protocol badge designers and see what the come up with.

Date: 2026-03-10 11:00 CET

Agenda

• STA work status update
  • M5 can be claimed, but Mahdi is unable to proceed given the worsening situation in his place. Can this be done on his behalf?
• Spec work
  • https://github.com/cs3org/OCM-API/pull/344 is ready for review, can we merge before CS3?
• CS3 workshop / IETF Meeting / ISGC Symposium
• AOB
  • Meeting next week is canceled, then back to usual pace with March 31st, 2026, at 11:00

Present

• Giuseppe Lo Presti
• Enrique P. Arnaud
• Julian Koberg
• Rasmus Welander
• Roman Perekhod
• Matthias Kraus
• Klaas Freitag
• Richard Freitag

Minutes

STA

• Mahdi's work finished, Giuseppe to send an email to PonderSource for the invoicing [done after the meeting].
• Enrique working on finalizing the database part, testing on his side before moving forward with PR.

Spec work

• New PR regarding the /.well-known/ endpoint in the OpenAPI spec, to be merged and published before CS3.

CS3 Workshop (17th-19th of March) et al.

• Richard to present at ISGC in Taipei.
• Micke to attend IETF 125 in Shenzhen.
• Giuseppe to present OCM, with a panel and one slide with all the vendors.
  • Seafile to implement once the RFC is finalized.
  • OneData looking into implementing OCM since they are a part of the EOSC projects.
  • Presentation by Mahdi on the test suite unfortunately to be cancelled because of the current situation
• Rasmus to present about how OCM is used in EOSC Data Commons projects.

AOB

• Meeting cancelled next week due to CS3 Workshop and IETF Meeting
• Next meeting in three weeks 31st of March (original bi-weekly meeting schedule resumed)
• Summaries of IETF, Taipei, and CS3 by Micke, Richard, and Giuseppe.
• Pull request by Mahdi in OpenCloud finally merged.

Date: 2026-02-17 11:00 CET

Agenda

• STA work status update
• Spec work
• CS3 workshop
• AOB

Present

• Giuseppe Lo Presti
• Enrique P. Arnaud
• Micke Nordin
• Julian Koberg
• Mahdi Baghbani
• Roman Perekhod

Minutes

STA

Enrique is waiting on Nextcloud. Reused some database fields, needs to discuss with maintainers. Next part of Nextcloud work starts after March, it is regarding application sharing.

Mahdi has been speed running the work this month, and has submitted a report PR to OCM-STA and has started to work on code flow in reva.

Giuseppe will send an email to STA to request an extension in case Mahdi needs some more time due to recent internet issues.

Spec Work

If a request is signed and the signature validation fails, for example during token exchange, what should the error be? We should review errors for the case when one part succeeds and another part fails.

It is up to vendors to decide how to handle for example Cavage style signature, no signatures etc, spec only allow the RFC style signatures.

Tooling for the ASCII art is not really sorted out, worst case we remove it. Micke will take a look.

Groups over OCM is something we should work on. Could be based on MLS with OCM specific messaging for welcome messages etc.

Is ownCloud interested in doing a security review of OCM as a protocol? CERN security expert is also interested in doing this, so two independent security reviews would be great.

CS3 workshop

Giuseppe will send a request to all vendors for a statement of support.

Mahdi is working on the slides, but may not be able to come to Oslo due to unrest.

David is coming from ownCloud, and maybe Julian will make it too.

AOB

Several EOSC projects (Future and Connect) have been approved, and both CERN and SUNET is funded to build up federations using OCM.

We have good hope for STA funding for FileSender. OneData is also thinking about implementing OCM.

Next meeting is moved to 10:th of March.

Date: 2026-02-03 11:00 CET

Agenda

• STA work status update
• Spec work
  • v1.3 is out. Tried to fix the formatting but failed -> need to involve the WG chairs.
• CS3 workshop
  • Eventually we are going to have an OCM Campfire for the technology foundation, and an Interoperability and Federations session for the "consumers" of OCM.
• AOB
  • EC call for feedback about Open Source, ends today

Present

• Giuseppe Lo Presti
• Enrique P. Arnaud [offline report]
• Micke Nordin
• Yul Bahat
• Julian Koberg
• Rasmus Welander
• Michael Barz
• Mahdi Baghbani

Minutes

• STA work

  • Enrique [offline]: progress on fixing https://github.com/nextcloud/server/pull/57234 but some errors are due to recent changes from upstream (the PR is against master).
  • STA reached out about publicity, we should do something about this.
  • FileSender has sent a proposal to implement OCM with funding from STA
  • CernBox will merge tests soon, ownCloud and OpenCloud has not received PR:s yet.

• Spec work

  • 1.3 is out, but formatting of ASCII art is broken, we need help with this. Giuseppe will send an email to the mailing list to see if someone can assist.
  • Request to share and discovery - is this something we want? Big Tech have this functionality, were you get knowledge about a resource, and can request access. From ownCloud side OCM is seen as complicated and mostly useful for scientific usecase, so adding features is ok even if only useful for research.

• CS3 Workshop

  • The schedule will be cramped, but we will have two sessions, one for consumers and one for in-depth technical details. All vendors invited to describe their commitment to OCM, and willingness to come to Vienna IETF meeting.

• AOB

  • EC call for feedback on Open Source. We will discuss in matrix if and how to respond as a community.

Date: 2026-01-20 11:00 CET

Agenda

• STA work status update
• Spec work
  • Proposal: create a change log with all modifications so far and tag 1.3 + submit to data tracker. See https://github.com/cs3org/OCM-STA/issues/25
• CS3 workshop
  • Record number of contributions => the Campfire session on Interoperability and OCM will have to be particularly effective. Giuseppe proposes to approach the 3 major vendors to give a one-slide statement on their plans to support OCM, and there are significant contributions from other actors. A draft schedule will be published soon.
• AOB

Present

• Giuseppe Lo Presti
• Enrique P. Arnaud
• Micke Nordin
• Yul Bahat
• Julian Koberg
• Ron Trompert
• Antoon Prins
• Bo Nygaard Bai

Minutes

STA

• A few tests are still in need of fix for https://github.com/nextcloud/server/pull/57234 - probably done by end of week, for sure end of month.

Spec work

• We will create a 1.3 version tag and a 01 version of the spec and ask OCM-WG chairs to start a call for adoption. Micke will tag a version and upload the xml to the data tracker.

CS3 Workshop

We will hold a Campfire session in Oslo - all three major vendors will be there. European Commission may also be represented. Giuseppe will chair and Mahdi will present on the test suite.

Richard will be in Taiwan to present OCM and Micke will do the same in IETF125.

AOB

Should we keep a version field in the discovery? We need to talk about it in the Working group and decide, the options are: Prescribe a version with a point release, e.g. 1.4.1 OR prescribe version 1 without points, OR remove version completely.

Should we have a IANA register for protocols, now we have webdav, ssh and webapp, but we allow anything explicitly in the the spec, maybe they can be registered in a registry.