2024-03-06

This page concerns the CAB meeting held at March 6, 2024 at 15:00 CET.

Agenda

1. Welcome + introduce new participants

2. Update on the implementation of RFCs on the RFC board

3. Advice on the implementation of RFCs

4. Input/review required:

   • RFC047: Generalisation of the capabilities endpoint General approach described in impact analysis - detailed specifications will be defined in implementation.

   • RFC048: Improve change and release management process

5. Advice on newly incoming RFCs:

   • Allow service provider to retrieve delegation evidence on which it is mentioned without service consumer's client assertion

   • Revert to standard OAuth authentication flows

   • Applicability of SLAs under Adhering parties contract should be applicable only to parties providing services

   • None-API-consuming-Service Consumers to be onboarded without the PKI certificate (like eIDAS)

   • Define what can be overwritten and what not in the framework

   • Allow conditional delegations

6. RFC prioritisation: discuss priority on the RFC board

7. Wrap up and outlook to next quarter

Decisions

A transcription of the meeting is available upon request.

• RFC047: Generalisation of the capabilities endpoint: will be scheduled for a next deep dive, where iSHARE Foundation will provide a detailed suggestion of the new endpoint definition. They will take into account proper versioning (looking at semver.org for inspiration), minimal mandatory fields and a flat structure.

• RFC048: Improve change and release management process: input can be provided through the regular channels and the RFC will be scheduled for a deep dive session.

• Allow service provider to retrieve delegation evidence on which it is mentioned without service consumer's client assertion: CAB supports this request and suggests to use the current feature of specifying the Service Provider environment.

• Revert to standard OAuth authentication flows: CAB advises to review new OAuth specification proposals regarding JWTs to be implemented in the standard. Rajiv highlights the legal aspects of the current specification (vs standard OAuth) and the upcoming implementation of verifiable credentials as an alternative. The CAB sees this as an opportunity to look at the additional standards/amendments proposed under the main RFC to see if it has better alignment possibility with iSHARE.

• Applicability of SLAs under Adhering parties contract should be applicable only to parties providing services: CAB advises to take this up as an RFC.

• No API consuming Service Consumers to be onboarded without the PKI certificate: CAB advises to take this up as an RFC.

• Define what can be overwritten and what not in the framework: CAB advises to take this up as an RFC and suggests to use the concept of prevalence and making parts optional to achieve a more simple implementation.

• Allow conditional delegations: CAB advises to take this up as an RFC, but to make sure that the actual implementation remains simple and backwards compatible, as the existing policy evidence structure is already comprehensive and gather feedback in a deep dive session.

• Priority is determined to be by the order on the board: the higher the RFC card is on the column, the higher the priority of the RFC.