Markdown Version | Session Recording

Session Date/Time: 25 Nov 2025 15:30

OCM

Summary

The inaugural OCM Working Group virtual meeting reviewed the administrative status, including the recent adoption of draft-ietf-ocm-open-cloud-mesh. Discussions covered the history and current state of OCM, ongoing development work (data set advertisements, request sharing, journaling), and recent code flow enhancements. A significant part of the meeting focused on the implications of the code flow changes, particularly regarding naming conventions and backward compatibility, with participants emphasizing security and the working group's role in refining the specification. The current state of OCM implementations and the OCM test suite were also presented, highlighting progress and future needs.

Key Discussion Points

• Draft Adoption and Update Process: The working group officially adopted draft-ietf-ocm-open-cloud-mesh. Discussion ensued regarding the process for updating an adopted draft. It was clarified that while authors retain control, changes must be reported to the group and vetted via the mailing list, with significant changes potentially warranting a dedicated meeting. The mailing list is the primary channel for discussion.
• OCM History and Maturity: Giuseppe provided an overview of OCM's origins with GEANT and its evolution through the CS3 community, leading to the IETF draft. He highlighted that different aspects of the specification have varying maturity levels, with some features being production-ready and others still conceptual or in need of refinement, especially security aspects. The WG's role is to scrutinize and elevate the standard.
• Ongoing OCM Work (Pre-Specification): Miki presented three areas not yet formally in the specification:
  • Advertisements of Datasets: A GitHub PR introduces a new endpoint (discovery/resource_advertisement_uri) to publish data sets for discovery, using RO-Crate for description.
  • Request Sharing: A companion PR for request_share allows users to request access to advertised data sets.
  • OCM Journaling: A GitHub discussion point for detecting missing OCM messages and enabling message replay, utilizing sequential IDs and a condensed format for resilience during outages.
• Code Flow Enhancements: Miki detailed substantial improvements to the code flow, making it clearer and aligning JSON messages with OAuth/OIDC for better library reuse. Key changes include a configurable token endpoint, renaming the capability from receive_code to token_exchange, and reusing shared_secret (now acting as a refresh token for short-lived tokens).
  • Backward Compatibility and Naming Concerns: The code flow changes were merged into version 8 of the draft after the call for adoption (which was based on version 7). Giuseppe noted these were breaking changes but acceptable for a less mature, unimplemented part of the spec. Matthias Krauss raised concerns about continuing to use the name shared_secret for what is functionally a refresh token, citing potential security risks if older implementations misinterpret its use.
  • Security Priority in the WG: David emphasized that the working group should prioritize security and be willing to introduce breaking changes for a more robust and clear API (e.g., for an OCM 2.0). Ted Hardie supported this, suggesting early review by the IETF Security Directorate.
• OCM Implementation and Test Suite: Madi presented current implementation efforts, including code flow for Nextcloud and work on a "Where are you from" page for invitation acceptance.
  • Nextcloud Code Flow: The new OAuth 2.0-based code flow addresses the security risk of permanent shared_secret tokens by introducing short-lived access tokens obtained via refresh tokens. Nextcloud currently uses signed HTTP requests for server verification.
  • OCM Reference Implementation: The need for a more OCM-focused reference implementation (beyond REVA) was identified to facilitate testing new ideas (like journaling) during specification development.
  • OCM Test Suite: An isolated Docker-based test suite performs 1:1 cross-platform/version validation (e.g., Nextcloud, OSIS). The goal is to integrate these tests into vendor CI systems to catch OCM violations earlier. The current nodejs reference implementation is outdated and needs a rewrite.

Decisions and Action Items

• Decision: draft-ietf-ocm-open-cloud-mesh has been officially adopted by the OCM Working Group.
• Action Item: Authors of the adopted draft are to update its name to reflect working group adoption. (Chairs will follow up via email).
• Action Item: Discussion on the naming of the shared_secret field within the code flow and the broader question of introducing breaking changes for security/clarity should continue on the OCM mailing list and related GitHub issues. Miki has already sent an email to the mailing list to initiate this discussion. Giuseppe will also contribute to frame the discussion.

Next Steps

• Continue engaging on the OCM mailing list for ongoing discussions, particularly regarding the code flow naming and the philosophy around backward compatibility versus introducing breaking changes for security and clarity.
• Review the GitHub PRs for "Advertisements of Datasets" and "Request Sharing," and the GitHub discussion for "OCM Journaling," providing feedback to guide their development.
• Madi's team will continue developing the Nextcloud code flow implementation, refine the OCM test suite, and explore integrating OCM tests into vendor CI systems. The OCM reference implementation will be refined/rewritten.
• Consider seeking early review from the IETF Security Directorate for the OCM specification to ensure alignment with IETF security expectations.