[Openid-specs-risc] openid/sharedsignals: Comment created on issue 205
github at oidf.org
github at oidf.org
Tue Nov 5 19:05:30 UTC 2024
openid/sharedsignals event
Issue Comment created on issue 205
Issue Title: New CAEP event - Risk level change event
https://github.com/openid/sharedsignals/pull/205
Comment: > The Risk level change event can be used by implementers as a "catch all" event. For example, an receiver could decide to use Risk level change instead of implementing the CAEP events. If we have a Risk level change event, which is prescriptive, we'd allow implementers to go the easy route and implement ONLY Risk level change event. Is that a behavior we want to encourage? > > As we discussed today CAEP events are descriptive, while Risk event is prescriptive. I don't see prescriptive and descriptive events coexist in the same spec. My suggestion is to wait with adding this event to the final spec. This event is the same as any other event in the CAEP spec, and it is NO WAY prescriptive. The Reciver may decide to do NOTHING on the risk being HIGH, same way as they chose to ingnore existing Session Revoked or Credential Change events. Whether and how organizations respond to any of the CAEP events is completely dependent on their risk tolerance levels.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20241105/630737f1/attachment.htm>
More information about the Openid-specs-risc
mailing list