Markdown Version | Transcript | Session Recording
Session Date/Time: 21 Apr 2026 14:30
OCM
Meeting: OCM Interim Meeting
Date: [Date of Interim 2026-01]
Chairs: Thibault Meunier
Secretary: Michael Richardson
Summary
The OCM working group held an interim meeting to discuss several enhancements to the core specification, draft-ietf-ocm-open-cloud-mesh. The primary focus was on transitioning from a purely push-based sharing model to a pull-based model ("Request for Share"), improving the security and interoperability of WebApp sharing, and standardizing the notification payload format to resolve current incompatibilities between major implementations.
Key Discussion Points
1. Request for Share
Presenter: Micke Nordin
Slides: Request for Share
Micke Nordin introduced a proposal (PR 194) for a new OCM endpoint that allows users to request access to a resource rather than waiting for an owner to initiate a share.
- Mechanism: The requester's OCM server sends a request identifying the resource and the user. The resource owner is notified and can then perform a sharing gesture to accept.
- Technical Details: The proposal uses a JSON body with
sender,share_with, andshare_id. It requires TLS and authentication via HTTP signatures. - Discussion:
- Giuseppe Presti expressed support, noting that this mimics "Request Access" features in services like Google Drive.
- Regarding resource identification, Giuseppe Presti mentioned that CERNBox addresses files by full paths and suggested the
share_idremain generic enough to accommodate both opaque IDs and human-readable paths. - Micke Nordin agreed that the nature of the ID should not be strictly prescribed but could include paths.
2. WebApp Sharing
Presenter: Micke Nordin
Slides: WebApp Sharing
Micke Nordin presented improvements to the "web application" share type in draft-ietf-ocm-open-cloud-mesh, which is currently under-specified and insecure (previously using credentials in URLs).
- Proposed Changes:
- Introduction of embedding capabilities:
iframe,redirect, andpopup. - Enhanced protocol objects including
permission,app_name, andapp_icon. - Secure token exchange using an HTML form post (similar to OIDC) to avoid exposing credentials in browser history or server logs.
- Introduction of embedding capabilities:
- Discussion:
- Lisa Dusseault questioned the use of the word "accept" in capability advertising (e.g.,
accept-web-app-frame), noting it might flip standard HTTP semantics. Micke Nordin clarified that this signifies what the receiving server is capable of displaying. - Giuseppe Presti suggested that these embedding options belong within the protocol specification rather than as general discovery capabilities to allow for per-application settings (e.g., Collabora via iframe vs. Jupyter via redirect).
- Micke Nordin argued that
iframe,redirect, andpopupcover nearly all browser presentation modes and should serve as a minimal common set.
- Lisa Dusseault questioned the use of the word "accept" in capability advertising (e.g.,
3. Notifications
Presenter: Giuseppe Presti
Slides: Notifications
Giuseppe Presti (presenting on behalf of Madi) highlighted interoperability issues in the current notification system within draft-ietf-ocm-open-cloud-mesh.
- Current Issues: Implementations like Nextcloud and ownCloud use different, incompatible payloads for notifications. Some applications (e.g., Nextcloud Talk) use custom notification types that are not part of the OCM spec.
- Proposal:
- Establish a minimal common payload for file sharing notifications.
- Explicitly forbid the use of shared secrets in notifications if a token exchange flow is used.
- Allow for custom payloads if the application is correctly advertised in discovery.
- Discussion:
- Micke Nordin proposed an IANA registry for notification types to allow developers to register new types for compatibility.
- Lisa Dusseault confirmed that an IANA registry is a viable path forward and can be established via the document process.
Decisions and Action Items
- Decisions:
- The group expressed general consensus on the utility of the "Request for Share" model and the move toward form-post token delivery for WebApps.
- The draft-ietf-ocm-open-cloud-mesh will be updated to reflect more robust notification structures.
- Action Items:
- Giuseppe Presti to share a link to the CERNBox WebApp sharing demonstration on the mailing list.
- Micke Nordin to start individual mailing list threads for the topics not reached during the meeting (Resource Discovery, OCM Journaling, and MLS over OCM).
Next Steps
- Discussion will continue on the mailing list regarding the placement of WebApp embedding options (capabilities vs. protocol properties).
- Remaining presentations from the interim session will be moved to the mailing list or a subsequent meeting to prepare for the in-person session in Vienna (IETF 122).