| caep-interop | November 2023 | |
| Tulshibagwale | Standards Track | [Page] |
This document defines an interoperability profile for implementations of the Shared Signals Framework (SSF) [SSF] and the Continuous Access Evaluation Profile (CAEP) [CAEP]. It is organized around use-cases that improve security of authenticated sessions. It specifies certain optional elements from within the SSF and CAEP specifications as being required to be supported in order to be considered as an interoperable implementation.¶
SSF and CAEP together enable improved session security outcomes. This specification defines the minimum required features from SSF and CAEP that an implementation MUST offer in order to be considered as an interoperable implementation. This document defines specific use cases. An implementation MAY support only a subset of the use cases defined herein, and SHALL be considered an interoperable implementation for the specific use-cases it supports. The following use-cases are considered as a part of this specification:¶
The following requirements are common across all use-cases defined in this document.¶
Transmitters MUST implement the following features:¶
The Transmitter Configuration Metadata MUST have a spec_version field, and its value MUST be 1_0-ID2 or greater¶
The Transmitter Configuration Metadata MUST include the delivery_methods_supported field.¶
The Transmitter Configuration Metadata MUST include the jwks_uri field, and its value MUST provide the current signing key of the Transmitter.¶
The Transmitter Configuration Metadata MUST include the configuration_endpoint field. The specified endpoint MUST support the POST method in order to be able to create a stream.¶
The Transmitter Configuration Metadata MUST include the status_endpoint field. The specified endpoint MUST support the GET and POST methods in order to get and update the stream status respectively. The Transmitter MUST support the following values in an Update Stream Status request:¶
For streams that are paused, the Transmitter MUST specify (offline) the resource constraints on how many events it can keep, or for how long. The way a Transmitter specifies this information is outside the scope of the SSF spec.¶
The Transmitter Configuration Metadata MUST include the verification_endpoint field. The specified endpoint MUST provide a way to request verification events to be sent.¶
In all streams created by the Transmitter, the following MUST be true:¶
A Transmitter MUST be able to accept a Create Stream request that includes either of the following delivery methods:¶
The delivery field MUST be present in the Configuration of any Stream generated by the Transmitter, and its value MUST include one of the two delivery methods listed above.¶
The following Stream Configuration API Methods MUST be supported:¶
Receivers MUST be able to create a Stream with the Transmitter using valid authorization with the Transmitter. The Transmitter MAY support multiple streams with the same Receiver¶
A Receiver MUST be able to obtain current Stream configuration from the Transmitter by providing a valid authorization¶
A Receiver MUST be able to obtain the current Stream status from the Transmitter by providing a valid authorization¶
A Receiver MUST be able to verify the liveness of the Stream by requesting that the Transmitter send it a Stream Verificaiton event by providing a valid authorization¶
Receivers MUST implement the following features:¶
Receivers MUST be able to accept events using the Push-Based Security Event Token (SET) Delivery Using HTTP [RFC8935] specification and the Poll-Based Security Event Token (SET) Delivery Using HTTP [RFC8936] specification.¶
Receivers MUST assume that all subjects are implicitly included in a Stream, without any AddSubject method invocations.¶
The following subject identifier formats from "Subject Identifiers for Security Event Tokens" [RFC9493] MUST be supported:¶
Receivers MUST be prepared to accept events with any of the subject identifier formats specified in this section. Transmitters MUST be able to send events with at least one of subject identifier formats specified in this section.¶
All events MUST be signed using the RS256 algorithm using a minimum of 2048-bit keys.¶
Implementations MAY choose to support one or more of the following use-cases in order to be considered interoperable implementations¶
In order to support session revocation or logout, implementations MUST support the CAEP event type session-revoked. The reason_admin field of the event MUST be populated with a non-empty value.¶
In order to support notifying and responding to credential changes, implementations MUST support the CAEP event type credential-change.
Within the credential-change event, implementations MUST support the following field values:¶
change_typeReceivers MUST interpret all allowable values of this field. Transmitters MAY generate any allowable value of this field¶
credential_typeReceivers MUST interpret all allowable values of this field. Transmitters MAY generate any allowable value of this field¶
reason_adminTransmitters MUST populate this value with a non-empty string¶