Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New CAEP event - Risk level change event #205

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Conversation

appsdesh
Copy link
Contributor

New CAEP event - Risk level change event

Closes #200

Removed ips claim from the event and created #201 to handle it separately for all CAEP events

Risk level change event
@appsdesh appsdesh requested a review from a team as a code owner September 20, 2024 21:52
openid-caep-1_0.md Outdated Show resolved Hide resolved
openid-caep-1_0.md Outdated Show resolved Hide resolved

### Event Specific Claims {#risk-level-change-event-specific-claims}
The following optional claims MAY be present in a Session Presented event:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a field that describes the type of risk? You mention in your example user risk and device risk. What if we had a field called risk_type whose values were an enum:

  • DEVICE
  • USER
  • ACCOUNT
  • OTHER

There may be other values that we should include in this enum as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@FragLegs I thought we could drive the type using the subject claim. With a single enum it would be hard to flag a single risk event if it applies to more than 1 entity like USER + DEVICE etc.

Co-authored-by: Shayne Miel (he/him) <[email protected]>
openid-caep-1_0.md Outdated Show resolved Hide resolved
: REQUIRED, JSON string indicates the reason that contributed to the risk level changes by the Transmitter. Overall this is an OPTIONAL claim, but marked as REQUIRED for Risk Level Change to indicate reasons behind the risk level change.

current_level
: REQUIRED, JSON string indicates the current level of the risk for the subject. Value MUST be one of LOW, MEDIUM, HIGH
Copy link

@ysarig75 ysarig75 Nov 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mandating the use of a LOW, MEDIUM, HIGH for risk levels may be too restricted for some usage. Some Companies may want to use a numeric range (e.g., 1-5 or 1-10) instead without needing to map it into LOW, MEDIUM, HIGH range.

One option is to add some kind of an optional "risk type" or "risk system" that may indicates to receivers how the risk is calculated and how it is being represented

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assurance level change uses namespace, but in that example, there are standardized ways of representing levels.

In this case, I feel even the numeric system will be subjective, it will not help bring standardization.

Another option is to plainly define a score as an optional attribute that could satisfy your use case, but I believe that could be solved by adopting #221

@appbugs
Copy link

appbugs commented Nov 5, 2024

The Risk level change event can be used by implementers as a "catch all" event. For example, an receiver could decide to use Risk level change instead of implementing the CAEP events. If we have a Risk level change event, which is prescriptive, we'd allow implementers to go the easy route and implement ONLY Risk level change event. Is that a behavior we want to encourage?

As we discussed today CAEP events are descriptive, while Risk event is prescriptive. I don't see prescriptive and descriptive events coexist in the same spec. My suggestion is to wait with adding this event to the final spec.

@appsdesh
Copy link
Contributor Author

appsdesh commented Nov 5, 2024

The Risk level change event can be used by implementers as a "catch all" event. For example, an receiver could decide to use Risk level change instead of implementing the CAEP events. If we have a Risk level change event, which is prescriptive, we'd allow implementers to go the easy route and implement ONLY Risk level change event. Is that a behavior we want to encourage?

As we discussed today CAEP events are descriptive, while Risk event is prescriptive. I don't see prescriptive and descriptive events coexist in the same spec. My suggestion is to wait with adding this event to the final spec.

This event is the same as any other event in the CAEP spec, and it is NO WAY prescriptive. The Reciver may decide to do NOTHING on the risk being HIGH, same way as they chose to ingnore existing Session Revoked or Credential Change events.

Whether and how organizations respond to any of the CAEP events is completely dependent on their risk tolerance levels. The event can describe what led to Tx raising or reducing the risk and description around that, this is very flexible mechanism to share the risks with vendors.

@appbugs
Copy link

appbugs commented Nov 5, 2024

#200

The Risk level change event can be used by implementers as a "catch all" event. For example, an receiver could decide to use Risk level change instead of implementing the CAEP events. If we have a Risk level change event, which is prescriptive, we'd allow implementers to go the easy route and implement ONLY Risk level change event. Is that a behavior we want to encourage?
As we discussed today CAEP events are descriptive, while Risk event is prescriptive. I don't see prescriptive and descriptive events coexist in the same spec. My suggestion is to wait with adding this event to the final spec.

This event is the same as any other event in the CAEP spec, and it is NO WAY prescriptive. The Reciver may decide to do NOTHING on the risk being HIGH, same way as they chose to ingnore existing Session Revoked or Credential Change events.

Whether and how organizations respond to any of the CAEP events is completely dependent on their risk tolerance levels. The event can describe what led to Tx raising or reducing the risk and description around that, this is very flexible mechanism to share the risks with vendors.

The Risk level change event does not prescribe what to do, it just augments different security events into the Risk level change event. The question is do we need to have an event that factors other CAEP events to come up with Low/Medium/High or a Tx can just use the existing CAEP events. If there are other events that Risk level change is factoring, can we just add those events as stand-alone events to the CAEP spec?

@appsdesh
Copy link
Contributor Author

appsdesh commented Nov 5, 2024

#200

The Risk level change event can be used by implementers as a "catch all" event. For example, an receiver could decide to use Risk level change instead of implementing the CAEP events. If we have a Risk level change event, which is prescriptive, we'd allow implementers to go the easy route and implement ONLY Risk level change event. Is that a behavior we want to encourage?
As we discussed today CAEP events are descriptive, while Risk event is prescriptive. I don't see prescriptive and descriptive events coexist in the same spec. My suggestion is to wait with adding this event to the final spec.

This event is the same as any other event in the CAEP spec, and it is NO WAY prescriptive. The Reciver may decide to do NOTHING on the risk being HIGH, same way as they chose to ingnore existing Session Revoked or Credential Change events.
Whether and how organizations respond to any of the CAEP events is completely dependent on their risk tolerance levels. The event can describe what led to Tx raising or reducing the risk and description around that, this is very flexible mechanism to share the risks with vendors.

The Risk level change event does not prescribe what to do, it just augments different security events into the Risk level change event. The question is do we need to have an event that factors other CAEP events to come up with Low/Medium/High or a Tx can just use the existing CAEP events. If there are other events that Risk level change is factoring, can we just add those events as stand-alone events to the CAEP spec?

As discussed in the call, risk indicators are a function of the Tx maturity. Risk calculations are outside the scope of this specification. Risk may encompass things described outside CAEP and RISK specs. You are free to propose any new events that describe your usecases.

This event is standalone and represents risk as a first-class object to be shared with the co-operating parties. There is no implicit dependency on presence or absence of other events.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

New event to represent risk level changes
5 participants