Welcome and introduction 

10 mins

Dietmar Gattwinkel (CEF eDelivery Business Owner, DG CNECT H4)

Dietmar Gattwinkel welcomed the participants and introduced the agenda for the session, asking participants whether any additions should be considered.

Update on REST API profile:

• Scoping document – presentation of latest updates
• Timeline and next steps

30 mins

Bogdan Dumitriu, Vlad Veduta (CEF eDelivery Technical team, DIGIT D3)

• Bogdan Dumitriu presented the new colleague joining the team, Jerry Dimitriou, who would be working as an expert on the REST API profile. Jerry was also involved in the TOOP project and would in the future be involved in the OOP project.
• Bogdan Dumitriu proceeded with the presentation of the changes made to the REST API scoping document following the stakeholders’ feedback in bi-lateral meetings and explained that this version of the document is considered pre-final, subject to a final review cycle ending on 4 October 2020 before being finalised (cf. presentation slides). He reassured that the work planned in this project does not affect in any way the eDelivery AS4 profile. The main changes, based on the feedback received, were related to clarifications concerning the separation between the REST API profile and the CEF eDelivery AS4 profile, on the types of scenarios aimed to be addressed by the profile and on the envisaged technical approach to defining the profile.
• Roberto Polli shared some considerations on Identity and Transport:

o   On Identity, he welcomed the addition of FIDO2 and other techniques that go beyond mutual TLS.

o   On Transport, he suggested to consider that HTTP semantics (e.g. GET, POST) is independent between HTTP/1.1 and HTTP/2.

• Regarding payload signing, Roberto Polli informed that there is ongoing work both in IETF and ETSI on this matter. He suggested to collaborate with these organisations to promote worldwide standards. In this context, he commented that JWS is currently questioned for being too flexible to be secure.
• Roberto Polli raised some questions on why the API was only targeting ‘light context’ scenarios and how the point of multiple corners could be managed.
• Roberto Polli also mentioned that it would be better to work with HTTP rather than AMQP and MQTT as it provides a better semantic layer to support authentication, authorization and integrity.
• Jerry Dimitriou commented that regarding identity it is not about a change of semantics but rather the need to use better functionalities provided by HTTP/2 (e.g., HTTP/2 encrypted headers and other things such as JWS to authenticate both client and response from the server).
• Lorenzino Vaccari commented that in the case of an event-driven architectures, the REST architectural style could be used, but, depending on the requirements, other styles could be more suitable. Event-driven APIs can be documented/published, for example, by using the AsyncAPI specification.

Update on Integration with CEF EBSI (blockchain):

• Presentation of functional specifications
• Timeline and next steps

• Update on JRC reports – Input for upcoming API related events
• Discussion

15 mins

(+ 45 mins discussion)

Monica Posada and Lorenzino Vaccari, JRC B6

Meeting participants to contribute to the discussion

• Monica Posada introduced the session informing about the upcoming API related events and get input to prepare the event on 25^th September: Apidays Essential: Public Administration – Private Sector API Codesign.
• Monica Posada announced publication of the APIs for Digital Government material (reports):
• APIs in Digital Government: https://ec.europa.eu/jrc/en/publication/eur-scientific-and-technical-research-reports/application-programming-interfaces-governments-why-what-and-how
• API framework for API adoption in government : https://ec.europa.eu/jrc/en/publication/application-programming-interface-api-framework-digital-government
• API framework Self-assessment tool: https://ec.europa.eu/eusurvey/runner/APIFrameworkTool
• All reports and additional material is available collection on Joinup: https://joinup.ec.europa.eu/collection/api4dt/about
• The description and the outputs of the Application Programming Interfaces for Digital Government (APIs4DGov) former project are also available at the following link: https://ec.europa.eu/digital-single-market/en/news/apis-enablers-digital-transformation-governments
• Lorenzino Vaccari proceeded to ask participants to the meeting to join a sli.do survey to have more input regarding how the participants manage several aspects related to API, such as life cycle, API design style, documenting APIs, standards for development of APIs, security measures, discovering mechanisms, monitoring, metrics and authentication.
• Roberto Polli explained that in the Italian administration there is an idea to create a central platform for providing machine-to-machine API authentication via authentication & authorisation tokens, to avoid that participants have to rely on a four-corner approach. Robert invited the audience to share any possible national approaches to address this need.
• Martin Volcker asked if there is any information on what is happening on eIDAS regarding ERDS and any relevant legal aspects impacting eDelivery. Dietmar Gattwinkel informed that this aspect is part of the eIDAS review but there is no consolidated answer on this yet. Bogdan Dumitriu mentioned that the project team had a meeting with ETSI to promote the alignment between the ETSI standardisation process, that is evaluating the need to address the REST style in an ERDS context, and the work on the REST API profile.