-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New CAEP event - Risk level change event #205
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -822,6 +822,61 @@ The following is a non-normative example of a Session Presented event: | |
}} | ||
~~~ | ||
|
||
## Risk Level Change {#risk-level-change} | ||
Event Type URI: | ||
|
||
`https://schemas.openid.net/secevent/caep/event-type/risk-level-change` | ||
|
||
A vendor may deploy mechanisms to gather and analyze various signals associated with subjects such as users, devices, etc. These signals, which can originate from diverse channels and methods beyond the scope of this event description, are processed to derive an abstracted risk level representing the subject's current threat status. | ||
|
||
The Risk Level Change event is employed by the Trasnmitter to communicate any modifications in a subject's assessed risk level at the time indicated by the `event_timestamp` field in the Risk Level Change event. The Transmitter may generate this event to indicate: | ||
|
||
* User's risk has changed due to potential suspecious access from unknown destination, password compromise, addition of strong authenticator or other reasons. | ||
* Device's risk has changed due to installation of unapproved software, connection to insecure pheripheral device, encryption of data or other reasons. | ||
* Any other subject's risk changes due to variety of reasons. | ||
|
||
|
||
### Event Specific Claims {#risk-level-change-event-specific-claims} | ||
The following optional claims MAY be present in a Session Presented event: | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could we add a field that describes the type of risk? You mention in your example user risk and device risk. What if we had a field called
There may be other values that we should include in this enum as well. |
||
reason_admin | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it is a mistake to make this optional field required and to use it for passing important info about the event. |
||
: REQUIRED, JSON string indicates the reason that contributed to the risk level changes by the Transmitter. Overall this is an OPTIONAL claim, but marked as REQUIRED for Risk Level Change to indicate reasons behind the risk level change. | ||
|
||
current_level | ||
: REQUIRED, JSON string indicates the current level of the risk for the subject. Value MUST be one of LOW, MEDIUM, HIGH | ||
|
||
previous_level | ||
: OPTIONAL, JSON string indicates the previously known level of the risk for the subject. Value MUST be one of LOW, MEDIUM, HIGH. If the Transmitter omits this value, the Receiver MUST assume that the previous assurance level is unknown to the Transmitter. | ||
|
||
|
||
### Examples {#session-presented-examples} | ||
The following is a non-normative example of a Session Presented event: | ||
|
||
~~~json | ||
{ | ||
"iss": "https://idp.example.com/123456789/", | ||
"jti": "24c63fb56e5a2d77a6b512616ca9fa24", | ||
"iat": 1615305159, | ||
"aud": "https://sp.example.com/caep", | ||
"txn": 8675309, | ||
"sub_id": { | ||
"format": "iss_sub", | ||
"iss": "https://idp.example.com/3456789/", | ||
"sub": "[email protected]" | ||
}, | ||
"events":{ | ||
"https://schemas.openid.net/secevent/caep/event-type/risk-level-change":{ | ||
"current_level": "LOW", | ||
"previous_level": "HIGH", | ||
"event_timestamp": 1615304991643, | ||
"reason_admin":{ | ||
"en": "User's password detected in the pwned password dump" | ||
} | ||
} | ||
} | ||
} | ||
~~~ | ||
|
||
# Security Considerations | ||
Any implementations of events described in this document SHOULD comply with the Shared Signals Framework {{SSF}}. Exchanging events described herein without complying with the Shared Signals Framework {{SSF}} may result in security issues. | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.