• An API that facilitates asynchronous communication between Transmitters and Receivers. It features:
  • Describe a Transmitter to anyone, including endpoints and supported event types
  • Securely establish a stream with a subset of supported event types, requested by a Receiver and agreed to by a Transmitter
  • Securely manage the stream including start, pause and delete the stream
  • Add or remove subjects of interest in the stream, a subject can be defined as narrowly or broadly as desired.
  • Events in the stream relate to subjects that are of mutual interest
  • A subject may provide consent to being included in the stream (if applicable)
  • Send and receive events using a push or pull model based on IETF standard protocols

• The API can be authorized using OAuth or other means
• The streams contain discrete events formatted as SETs
• SSF events use IETF SecEvents Subject Identifiers within the SETs.

Federated systems are a common way of enforcing access control. Widely used federated identity standard protocols such as SAML and OpenID Connect enable identity providers to assert the validity of access at the time of user login. These sessions may last over long durations of time, often several days during which time the user properties, such as location, authentication or organizational membership may have changed. So relying on information that was only asserted at the time of login creates security issues due to unauthorized access that is provided based on the old information. Therefore, a standards-based approach to communicating changes to access properties is proposed through this working group. CAEP is a standardized way to describe status changes. CAEP events, expressed as security event tokens (SET) are sent by Transmitters using the SSE framework. Once a CAEP event is received, the Receiver can take appropriate security measures to ensure dynamically adjust the user’s privacy and security access posture. This makes CAEP a cornerstone of zero-trust security.

CAEP (previously known as the Continuous Access Evaluation Protocol) was first proposed in a blog post by Google. A number of companies have contributed to its development and its independent standardization effort was merged into this working group of the OpenID Foundation.

In summary:

• • CAEP is specified as a profile of the SSE Framework that facilitates zero-trust security
  • CAEP includes events such as:
    • Session Revoked
    • Token Claims Change
    • Credential Change
    • Assurance Level Change
    • Device Compliance Change

• Read the implementers’ draft of the Continuous Access Evaluation Profile specification.

Attackers often target multiple accounts across service providers for a single individual, knowing that users normally register for all their internet services with just a few email addresses. This kind of account takeover attacks are called credential stuffing attacks. For example, a victim’s social networking account may send password recovery information to their email account, or they might log into her photo sharing account using their social network credentials. When criminals exploit these linkages, a single weak link can create a cascade of account takeovers.

The Risk & Incident Sharing and Collaboration (RISC) provides a standardized way to transmit and receive security alerts about such attacks. It enables providers to prevent attackers from compromising linked accounts across multiple providers and coordinate in restoring accounts in the event of compromise.

• • A profile of the SSE framework to improve account security
  • Includes events such as:
    • Account Credential Change Required
    • Account Purged/Disabled/Enabled
    • Identifier Changed/Recycled
    • Credential Compromise
    • Recovery Activated/Information Changed

• Read the draft RISC Profile specification.