From 4287686de742b7b63b6a7c88ec92ea1c2f6317fc Mon Sep 17 00:00:00 2001
From: Apoorva Deshpande <apoorva.deshpande@okta.com>
Date: Fri, 20 Sep 2024 14:49:43 -0700
Subject: [PATCH 1/3] Risk level change event

Risk level change event
---
 openid-caep-1_0.md | 55 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/openid-caep-1_0.md b/openid-caep-1_0.md
index 3624fb7..1e6553c 100644
--- a/openid-caep-1_0.md
+++ b/openid-caep-1_0.md
@@ -822,6 +822,61 @@ The following is a non-normative example of a Session Presented event:
     }}
 ~~~
 
+## Risk Level Change {#risk-level-change}
+Event Type URI:
+
+`https://schemas.openid.net/secevent/caep/event-type/risk-level-change`
+
+A vendor may deploy mechanisms to gather and analyze various signals associated with subjects such as users, devices, etc. These signals, which can originate from diverse channels and methods beyond the scope of this event description, are processed to derive an abstracted risk level representing the subject's current threat status.
+
+The Risk Level Change event is employed  by the Trasnmitter to communicate any modifications in a subject's assessed risk level at the time indicated by the `event_timestamp` field in the Risk Level Change event. The Transmitter may generate this event to indicate:
+
+* User's risk has changed due to potential suspecious access from unknown destination, password compromise, addition of strong authenticator or other reasons.
+* Device's risk has changed due to installation of unapproved software, connection to insecure pheripheral device, encryption of data or other reasons.
+* Any other subject's risk changes due to variety of reasons.
+
+
+### Event Specific Claims {#risk-level-change-event-specific-claims}
+The following optional claims MAY be present in a Session Presented event:
+
+reason_admin
+: REQUIRED, JSON string indicates the reason that contributed to the risk level changes by the Transmitter. Overall this is an OPTIONAL claim, but marked as REQUIRED for Risk Level Change to indicate reasons behind the risk level change.
+
+current_level 
+: REQUIRED, JSON string indicates the current level of the risk for the subject. Value MUST be one of LOW, MEDIUM, HIGH
+
+previous_level 
+: OPTIONAL, JSON string indicates the previously known level of the risk for the subject. Value MUST be one of LOW, MEDIUM, HIGH. If the Transmitter omits this value, the Receiver MUST assume that the previous assurance level is unknown to the Transmitter.
+
+
+### Examples {#session-presented-examples}
+The following is a non-normative example of a Session Presented event:
+
+~~~json
+{
+    "iss": "https://idp.example.com/123456789/",
+    "jti": "24c63fb56e5a2d77a6b512616ca9fa24",
+    "iat": 1615305159,
+    "aud": "https://sp.example.com/caep",
+    "txn": 8675309,
+    "sub_id": {
+      "format": "iss_sub",
+      "iss": "https://idp.example.com/3456789/",
+      "sub": "jane.doe@example.com"
+    },
+    "events":{
+      "https://schemas.openid.net/secevent/caep/event-type/risk-level-change":{
+         "current_level": "LOW",
+         "previous_level": "HIGH",
+         "event_timestamp": 1615304991643,
+         "reason_admin":{
+            "en": "User's password detected in the pwned password dump"
+         }
+      }
+   }
+}
+~~~
+
 # Security Considerations
 Any implementations of events described in this document SHOULD comply with the Shared Signals Framework {{SSF}}. Exchanging events described herein without complying with the Shared Signals Framework {{SSF}} may result in security issues.
 

From 549983779d8ce52ad031a561f29dd56908e886e7 Mon Sep 17 00:00:00 2001
From: Apoorva Deshpande <apps.desh@gmail.com>
Date: Tue, 5 Nov 2024 07:37:52 -0800
Subject: [PATCH 2/3] Update openid-caep-1_0.md

Co-authored-by: Shayne Miel (he/him) <miel.shayne@gmail.com>
---
 openid-caep-1_0.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openid-caep-1_0.md b/openid-caep-1_0.md
index 1e6553c..cef4e7d 100644
--- a/openid-caep-1_0.md
+++ b/openid-caep-1_0.md
@@ -829,7 +829,7 @@ Event Type URI:
 
 A vendor may deploy mechanisms to gather and analyze various signals associated with subjects such as users, devices, etc. These signals, which can originate from diverse channels and methods beyond the scope of this event description, are processed to derive an abstracted risk level representing the subject's current threat status.
 
-The Risk Level Change event is employed  by the Trasnmitter to communicate any modifications in a subject's assessed risk level at the time indicated by the `event_timestamp` field in the Risk Level Change event. The Transmitter may generate this event to indicate:
+The Risk Level Change event is employed by the Transmitter to communicate any modifications in a subject's assessed risk level at the time indicated by the `event_timestamp` field in the Risk Level Change event. The Transmitter may generate this event to indicate:
 
 * User's risk has changed due to potential suspecious access from unknown destination, password compromise, addition of strong authenticator or other reasons.
 * Device's risk has changed due to installation of unapproved software, connection to insecure pheripheral device, encryption of data or other reasons.

From 4dc02137ff720bdeb795296963c556ba3d0bac29 Mon Sep 17 00:00:00 2001
From: Apoorva Deshpande <apps.desh@gmail.com>
Date: Thu, 14 Nov 2024 22:12:40 -0800
Subject: [PATCH 3/3] Added risk_reason

---
 openid-caep-1_0.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/openid-caep-1_0.md b/openid-caep-1_0.md
index cef4e7d..323e0e9 100644
--- a/openid-caep-1_0.md
+++ b/openid-caep-1_0.md
@@ -837,10 +837,9 @@ The Risk Level Change event is employed by the Transmitter to communicate any mo
 
 
 ### Event Specific Claims {#risk-level-change-event-specific-claims}
-The following optional claims MAY be present in a Session Presented event:
 
-reason_admin
-: REQUIRED, JSON string indicates the reason that contributed to the risk level changes by the Transmitter. Overall this is an OPTIONAL claim, but marked as REQUIRED for Risk Level Change to indicate reasons behind the risk level change.
+risk_reason
+: REQUIRED, JSON string indicates the reason that contributed to the risk level changes by the Transmitter.
 
 current_level 
 : REQUIRED, JSON string indicates the current level of the risk for the subject. Value MUST be one of LOW, MEDIUM, HIGH
@@ -849,8 +848,8 @@ previous_level
 : OPTIONAL, JSON string indicates the previously known level of the risk for the subject. Value MUST be one of LOW, MEDIUM, HIGH. If the Transmitter omits this value, the Receiver MUST assume that the previous assurance level is unknown to the Transmitter.
 
 
-### Examples {#session-presented-examples}
-The following is a non-normative example of a Session Presented event:
+### Examples {#risk-level-change-examples}
+The following is a non-normative example of a Risk Level Change event:
 
 ~~~json
 {
@@ -869,7 +868,7 @@ The following is a non-normative example of a Session Presented event:
          "current_level": "LOW",
          "previous_level": "HIGH",
          "event_timestamp": 1615304991643,
-         "reason_admin":{
+         "risk_reason":{
             "en": "User's password detected in the pwned password dump"
          }
       }