Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New CAEP event - Risk level change event #205

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

New CAEP event - Risk level change event #205

wants to merge 1 commit into from

Conversation

appsdesh
Copy link
Contributor

New CAEP event - Risk level change event

Closes #200

Removed ips claim from the event and created #201 to handle it separately for all CAEP events

@appsdesh appsdesh requested a review from a team as a code owner September 20, 2024 21:52
FragLegs
FragLegs requested changes Sep 24, 2024
View reviewed changes
openid-caep-1_0.md Outdated Show resolved Hide resolved
openid-caep-1_0.md Outdated Show resolved Hide resolved
openid-caep-1_0.md Show resolved Hide resolved
ysarig75
ysarig75 reviewed Nov 5, 2024
View reviewed changes
openid-caep-1_0.md Outdated Show resolved Hide resolved
ysarig75
ysarig75 reviewed Nov 5, 2024
View reviewed changes
openid-caep-1_0.md Outdated Show resolved Hide resolved
@appbugs
Copy link

appbugs commented Nov 5, 2024

The Risk level change event can be used by implementers as a "catch all" event. For example, an receiver could decide to use Risk level change instead of implementing the CAEP events. If we have a Risk level change event, which is prescriptive, we'd allow implementers to go the easy route and implement ONLY Risk level change event. Is that a behavior we want to encourage?

As we discussed today CAEP events are descriptive, while Risk event is prescriptive. I don't see prescriptive and descriptive events coexist in the same spec. My suggestion is to wait with adding this event to the final spec.

@appsdesh
Copy link
Contributor Author

appsdesh commented Nov 5, 2024
edited
Loading

The Risk level change event can be used by implementers as a "catch all" event. For example, an receiver could decide to use Risk level change instead of implementing the CAEP events. If we have a Risk level change event, which is prescriptive, we'd allow implementers to go the easy route and implement ONLY Risk level change event. Is that a behavior we want to encourage?

As we discussed today CAEP events are descriptive, while Risk event is prescriptive. I don't see prescriptive and descriptive events coexist in the same spec. My suggestion is to wait with adding this event to the final spec.

This event is the same as any other event in the CAEP spec, and it is NO WAY prescriptive. The Reciver may decide to do NOTHING on the risk being HIGH, same way as they chose to ingnore existing Session Revoked or Credential Change events.

Whether and how organizations respond to any of the CAEP events is completely dependent on their risk tolerance levels. The event can describe what led to Tx raising or reducing the risk and description around that, this is very flexible mechanism to share the risks with vendors.

@appbugs
Copy link

appbugs commented Nov 5, 2024
edited
Loading

#200

The Risk level change event can be used by implementers as a "catch all" event. For example, an receiver could decide to use Risk level change instead of implementing the CAEP events. If we have a Risk level change event, which is prescriptive, we'd allow implementers to go the easy route and implement ONLY Risk level change event. Is that a behavior we want to encourage?
As we discussed today CAEP events are descriptive, while Risk event is prescriptive. I don't see prescriptive and descriptive events coexist in the same spec. My suggestion is to wait with adding this event to the final spec.

This event is the same as any other event in the CAEP spec, and it is NO WAY prescriptive. The Reciver may decide to do NOTHING on the risk being HIGH, same way as they chose to ingnore existing Session Revoked or Credential Change events.

Whether and how organizations respond to any of the CAEP events is completely dependent on their risk tolerance levels. The event can describe what led to Tx raising or reducing the risk and description around that, this is very flexible mechanism to share the risks with vendors.

The Risk level change event does not prescribe what to do, it just augments different security events into the Risk level change event. The question is do we need to have an event that factors other CAEP events to come up with Low/Medium/High or a Tx can just use the existing CAEP events. If there are other events that Risk level change is factoring, can we just add those events as stand-alone events to the CAEP spec?

@appsdesh
Copy link
Contributor Author

appsdesh commented Nov 5, 2024
edited
Loading

#200

The Risk level change event can be used by implementers as a "catch all" event. For example, an receiver could decide to use Risk level change instead of implementing the CAEP events. If we have a Risk level change event, which is prescriptive, we'd allow implementers to go the easy route and implement ONLY Risk level change event. Is that a behavior we want to encourage?
As we discussed today CAEP events are descriptive, while Risk event is prescriptive. I don't see prescriptive and descriptive events coexist in the same spec. My suggestion is to wait with adding this event to the final spec.

This event is the same as any other event in the CAEP spec, and it is NO WAY prescriptive. The Reciver may decide to do NOTHING on the risk being HIGH, same way as they chose to ingnore existing Session Revoked or Credential Change events.
Whether and how organizations respond to any of the CAEP events is completely dependent on their risk tolerance levels. The event can describe what led to Tx raising or reducing the risk and description around that, this is very flexible mechanism to share the risks with vendors.

The Risk level change event does not prescribe what to do, it just augments different security events into the Risk level change event. The question is do we need to have an event that factors other CAEP events to come up with Low/Medium/High or a Tx can just use the existing CAEP events. If there are other events that Risk level change is factoring, can we just add those events as stand-alone events to the CAEP spec?

As discussed in the call, risk indicators are a function of the Tx maturity. Risk calculations are outside the scope of this specification. Risk may encompass things described outside CAEP and RISK specs. You are free to propose any new events that describe your usecases.

This event is standalone and represents risk as a first-class object to be shared with the co-operating parties. There is no implicit dependency on presence or absence of other events.

FragLegs
FragLegs reviewed Nov 25, 2024
View reviewed changes
openid-caep-1_0.md Outdated Show resolved Hide resolved
openid-caep-1_0.md Outdated Show resolved Hide resolved
openid-caep-1_0.md Outdated Show resolved Hide resolved
FragLegs
FragLegs reviewed Dec 3, 2024
View reviewed changes
openid-caep-1_0.md Outdated Show resolved Hide resolved
openid-caep-1_0.md Show resolved Hide resolved
@apoorvadeshpande-okta @appsdesh
Risk level change event
d8efd7e 
Risk level change event
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FragLegs FragLegs FragLegs approved these changes

@tulshi tulshi Awaiting requested review from tulshi

@ysarig75 ysarig75 Awaiting requested review from ysarig75

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

New event to represent risk level changes
6 participants
@appsdesh @appbugs @FragLegs @tulshi @ysarig75 @apoorvadeshpande-okta