OpenID RISC Event Types 1.0

The base URI for RISC event types is: https://schemas.openid.net/secevent/risc/event-type/

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/account-credential-change-required Account Credential Change Required signals that the account identified by the subject was required to change a credential. For example the user was required to go through a password change. Attributes: none

(the event type URI is wrapped, the backslash is the continuation character)

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/account-purged Account Purged signals that the account identified by the subject has been permanently deleted. Attributes: none

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/account-disabled Account Disabled signals that the account identified by the subject has been disabled. The actual reason why the account was disabled might be specified with the nested reason attribute described below. The account may be enabled in the future. Attributes: reason - optional, describes why was the account disabled. Possible values: hijacking bulk-account

(the event type URI is wrapped, the backslash is the continuation character)

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/account-enabled Account Enabled signals that the account identified by the subject has been enabled. Attributes: none

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/identifier-changed Identifier Changed signals that the identifier specified in the subject has changed. The subject type MUST be either email or phone and it MUST specify the old value. This event SHOULD be issued only by the provider that is authoritative over the identifier. For example, if the person that owns john.doe@example.com goes through a name change and wants the new john.row@example.com email then only the email provider example.com SHOULD issue an Identifier Changed event as shown in the example below. If an identifier used as a username or recovery option is changed, at a provider that is not authoritative over that identifier, then Recovery Information Changed SHOULD be used instead. Attributes: new-value - optional, the new value of the identifier.

The foo@example.com email changed to bar@example.com. (the event type URI is wrapped, the backslash is the continuation character)

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/identifier-recycled Identifier Recycled signals that the identifier specified in the subject was recycled and now it belongs to a new user. The subject type MUST be either email or phone. Attributes: none

The 'foo@example.com' email address was recycled. (the event type URI is wrapped, the backslash is the continuation character)

Users SHOULD be allowed to opt-in and out of RISC events being sent for their accounts. With regards to opt-out an account can be in one of these three states: opt-in - the account is participating in RISC event exchange. opt-out-initiated - the user requested to be excluded from RISC event exchanges, but for practical security reasons for a period of time RISC events are still exchanged. The main reason for this state is to prevent a hijacker from immediately opting out of RISC. opt-out - the account is NOT participating in RISC event exchange.

State changes trigger Opt-Out Events as represented bellow: | | opt-in | | opt-out-initiated | | | pt-out-cancelled | | | <---------------------+ | +---^----+ +----------+--------+ | | | opt-in | opt-out-effective | | | +----------V--------+ | | | +--------------------------| opt-out | | | +-------------------+ ]]> Both Transmitters and Receivers SHOULD manage Opt-Out state for users. Transmitters should send the events defined in this section when the Opt-Out state changes.

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/opt-in Opt In signals that the account identified by the subject opted into RISC event exchanges. The account is in the opt-in state. Attributes: none

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/opt-out-initiated Opt Out Initiated signals that the account identified by the subject initiated to opt out from RISC event exchanges. The account is in the opt-out-initiated state. Attributes: none

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/opt-out-cancelled Opt Out Cancelled signals that the account identified by the subject cancelled the opt out from RISC event exchanges. The account is in the opt-in state. Attributes: none

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/opt-out-effective Opt Out Effective signals that the account identified by the subject was effectively opted out from RISC event exchanges. The account is in the opt-out state. Attributes: none

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/recovery-activated Recovery Activated signals that the account identified by the subject activated a recovery flow. Attributes: none

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/recovery-information-changed Recovery Information Changed signals that the account identified by the subject has changed some of its recovery information. For example a recovery email address was added or removed. Attributes: none

Event Type URI: https://schemas.openid.net/secevent/risc/event-type/sessions-revoked Sessions Revoked signals that all the sessions for the account identified by the subject have been revoked. Attributes: none