openid · appsdesh · Sep 20, 2024 · Sep 24, 2024 · Sep 24, 2024 · Oct 18, 2024
@@ -28,6 +28,7 @@ on:
       - contributing.md
       - .gitignore
       - working-group-charter.md
+  workflow_dispatch:
 
 jobs:
   build-sharedsignals:
@@ -37,9 +38,9 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Set up Ruby
-        uses: ruby/setup-ruby@ec02537da5712d66d4d50a0f33b7eb52773b5ed1
+        uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.1'
+          ruby-version: '3.3'
       - uses: actions/setup-python@v4
         with:
           python-version: '3.10' 
@@ -70,9 +71,9 @@ jobs:
       - name: Render caep-interop text
         run: xml2rfc openid-caep-interoperability-profile-1_0.xml --text -o openid-caep-interoperability-profile-1_0.txt
       - name: Upload artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4.4.0
         with:
-          name: output
+          name: specfiles
           path: |
             openid-sharedsignals-framework-1_0.html
             openid-sharedsignals-framework-1_0.txt
@@ -94,13 +95,13 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4.1.7
         with:
-          name: output
+          name: specfiles
       - name: Upload pages artifact
-        uses: actions/upload-pages-artifact@v1
+        uses: actions/upload-pages-artifact@v3
         with:
           path: .
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v2
+        uses: actions/deploy-pages@v4
@@ -1,10 +1,11 @@
 ---
 title: OpenID Continuous Access Evaluation Profile 1.0 - draft 03
+
 abbrev: CAEP-Spec
 docname: openid-caep-1_0
 date: 2024-06-19
 
-ipr: none
+ipr: none 
 cat: std
 wg: Shared Signals
 
@@ -734,9 +735,6 @@ The `event_timestamp` in this event type specifies the time at which the session
 ### Event Specific Claims {#session-established-event-specific-claims}
 The following optional claims MAY be included in the Session Established event:
 
-ips
-: The array of IP addresses of the user as observed by the Transmitter. The value MUST be in the format of an array of strings, each one of which represents the RFC 4001 {{RFC4001}} string represetation of an IP address. (**NOTE**, this can be different from the one observed by the Receiver for the same user because of network translation)
-
 fp_ua
 : Fingerprint of the user agent computed by the Transmitter. (**NOTE**, this is not to identify the session, but to present some qualities of the session)
 
@@ -766,10 +764,9 @@ The following is a non-normative example of the `session-established` event type
     },
     "events": {
         "https://schemas.openid.net/secevent/caep/event-type/session-established": {
-          "ips": ["192.168.1.12", "10.1.1.1"],
           "fp_ua": "abb0b6e7da81a42233f8f2b1a8ddb1b9a4c81611",
           "acr": "AAL2",
-          "amr": "otp",
+          "amr": ["otp"],
           "event_timestamp": 1615304991643
         }
     }
@@ -789,9 +786,6 @@ The Session Presented event signifies that the Transmitter has observed the sess
 ### Event Specific Claims {#session-presented-event-specific-claims}
 The following optional claims MAY be present in a Session Presented event:
 
-ips
-: The array of IP addresses of the user as observed by the Transmitter. The value MUST be in the format of an array of strings, each one of which represents the RFC 4001 {{RFC4001}} string represetation of an IP address. (**NOTE**, this can be different from the one observed by the Receiver for the same user because of network translation)
-
 fp_ua
 : Fingerprint of the user agent computed by the Transmitter. (**NOTE**, this is not to identify the session, but to present some qualities of the session)
 
@@ -814,12 +808,68 @@ The following is a non-normative example of a Session Presented event:
     },
     "events": {
         "https://schemas.openid.net/secevent/caep/event-type/session-presented": {
-          "ips": ["192.168.1.12","10.1.1.1"],
           "fp_ua": "abb0b6e7da81a42233f8f2b1a8ddb1b9a4c81611",
           "ext_id": "12345",
           "event_timestamp": 1615304991643
         }
-    }}
+    }
+}
+~~~
+
+## Risk Level Change {#risk-level-change}
+Event Type URI:
+
+`https://schemas.openid.net/secevent/caep/event-type/risk-level-change`
+
+A vendor may deploy mechanisms to gather and analyze various signals associated with subjects such as users, devices, etc. These signals, which can originate from diverse channels and methods beyond the scope of this event description, are processed to derive an abstracted risk level representing the subject's current threat status.
+
+The Risk Level Change event is employed by the Transmitter to communicate any modifications in a subject's assessed risk level at the time indicated by the `event_timestamp` field in the Risk Level Change event. The Transmitter may generate this event to indicate:
+
+* User's risk has changed due to potential suspecious access from unknown destination, password compromise, addition of strong authenticator or other reasons.
+* Device's risk has changed due to installation of unapproved software, connection to insecure pheripheral device, encryption of data or other reasons.
+* Any other subject's risk changes due to variety of reasons.
+
+
+### Event Specific Claims {#risk-level-change-event-specific-claims}
+
+risk_reason
+: RECOMMENDED, JSON string: indicates the reason that contributed to the risk level changes by the Transmitter.
+
+principal
+: REQUIRED, JSON string: representing the principal entity involved in the observed risk event, as identified by the transmitter. The subject principal can be one of the following entities USER, DEVICE, SESSION, TENANT, ORG_UNIT, GROUP, or any other entity as defined in Section 2 of {{SSF}}. This claim identifies the primary subject associated with the event, and helps to contextualize the risk relative to the entity involved.
+
+current_level 
+: REQUIRED, JSON string: indicates the current level of the risk for the subject. Value MUST be one of LOW, MEDIUM, HIGH
+
+previous_level 
+: OPTIONAL, JSON string: indicates the previously known level of the risk for the subject. Value MUST be one of LOW, MEDIUM, HIGH. If the Transmitter omits this value, the Receiver MUST assume that the previous risk level is unknown to the Transmitter.
+
+
+### Examples {#risk-level-change-examples}
+The following is a non-normative example of a Risk Level Change event:
+
+~~~json
+{
+    "iss": "https://idp.example.com/123456789/",
+    "jti": "24c63fb56e5a2d77a6b512616ca9fa24",
+    "iat": 1615305159,
+    "aud": "https://sp.example.com/caep",
+    "txn": 8675309,
+    "sub_id": {
+      "format": "iss_sub",
+      "iss": "https://idp.example.com/3456789/",
+      "sub": "[email protected]"
+    },
+    "events":{
+      "https://schemas.openid.net/secevent/caep/event-type/risk-level-change":{
+         "current_level": "LOW",
+         "previous_level": "HIGH",
+         "event_timestamp": 1615304991643,
+         "principal": "USER",
+         "risk_reason": "PASSWORD_FOUND_IN_DATA_BREACH"
+      }
+   }
+}
 ~~~
 
 # Security Considerations

@@ -74,7 +74,7 @@ normative:
         ins: A. Tulshibagwale
         name: Atul Tulshibagwale
         org: SGNL
-  RFC7525: # Recommendations for Secure Use of Transport Layer Security
+  RFC9325: # Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
   RFC6125: # Representation and Verification of Domain-Based Application Service Identity within Internet Public Key 
            # Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
   RFC6750: # The OAuth 2.0 Authorization Framework: Bearer Token Usage
@@ -125,7 +125,7 @@ The following requirements are common across all use-cases defined in this docum
 
 ## Network layer protection
 * The SSF transmitter MUST offer TLS protected endpoints and MUST establish connections to other servers using TLS. TLS connections MUST be set up to use TLS version 1.2 or later.
-* When using TLS 1.2, follow the recommendations for Secure Use of Transport Layer Security in [RFC7525]{{RFC7525}}.
+* The SSF transmitter MUST follow the recommendations for Secure Use of Transport Layer Security in [RFC9325]{{RFC9325}}.
 * The SSF receiver MUST perform a TLS server certificate signature checks, chain of trust validations, expiry and revocation status checks before calling the SSF transmitter APIs, as per [RFC6125]{{RFC6125}}.
 
 ## CAEP specification version

@@ -115,6 +115,7 @@ normative:
   RFC8936:
   RFC9110:
   RFC9493:
+  RFC4001:
   CAEP:
     author:
     -
@@ -386,6 +387,31 @@ Subject Identifier Format.
     "assertion_id": "_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6"
 }
 
+~~~
+{: #sub-id-ips title="Example: 'ips' Subject Identifier"}
+
+### IP Addresses Subject Identifier Format {#sub-id-ips}
+
+The "IP addresses" Subject Identifier Format specifies an array of IP addresses observed by the Transmitter.
+Subject Identifiers of this format MUST contain the following members:
+
+ips
+
+> REQUIRED. The array of IP addresses of the subject as observed by the Transmitter. The value MUST be in the format of an array of strings, each one of which represents the {{RFC4001}} string representation of an IP address.
+
+
+The "IP addresses" Subject Identifier Format is identified by the name
+"ips".
+
+Below is a non-normative example of Subject Identifier for the "IP addresses"
+Subject Identifier Format.
+
+~~~ json
+{
+    "format": "ips",
+    "ips": ["10.29.37.75", "98.27.134.237"]
+}
+
 ~~~
 {: #sub-id-samlassertionid title="Example: 'saml_assertion_id' Subject Identifier"}
 
@@ -436,23 +462,28 @@ The following are hypothetical examples of SETs that conform to the Shared Signa
   "txn": 8675309,
   "aud": "636C69656E745F6964",
   "sub_id": {
-      "format": "complex",
-      "user": {
-          "format": "iss_sub",
-          "iss": "https://idp.example.com/3957ea72-1b66-44d6-a044-d805712b9288/",
-          "sub": "[email protected]"
-      },
-      "device": {
-          "format": "iss_sub",
-          "iss": "https://idp.example.com/3957ea72-1b66-44d6-a044-d805712b9288/",
-          "sub": "e9297990-14d2-42ec-a4a9-4036db86509a"
-      }
+    "format": "complex",
+    "user": {
+      "format": "iss_sub",
+      "iss": "https://idp.example.com/3957ea72-1b66-44d6-a044-d805712b9288/",
+      "sub": "[email protected]"
+    },
+    "device": {
+      "format": "iss_sub",
+      "iss": "https://idp.example.com/3957ea72-1b66-44d6-a044-d805712b9288/",
+      "sub": "e9297990-14d2-42ec-a4a9-4036db86509a"
+    }
   },
   "events": {
     "https://schemas.openid.net/secevent/caep/event-type/session-revoked": {
       "initiating_entity": "policy",
-      "reason_admin": "Policy Violation: C076E82F",
-      "reason_user": "Landspeed violation.",
+      "reason_admin": {
+        "en": "Policy Violation: C076E82F"
+      },
+      "reason_user": {
+        "en": "Land speed violation.",
+        "es": "Violación de velocidad en tierra."
+      },
       "event_timestamp": 1600975810
     }
   }