Shared Signaling Framework (SSF)

SSF defines a flexible, event-driven architecture that allows different security use cases to be implemented through specialized profiles. The framework uses Security Event Tokens (SETs) as the core mechanism for transmitting security events, ensuring standardized, secure, and verifiable communication between transmitters and receivers.

Security Event Tokens (SETs)

Security Event Tokens, defined in RFC 8417, are specialized JSON Web Tokens (JWTs) designed specifically for transmitting security event information. Unlike traditional JWTs used for authentication or authorization, SETs are optimized for event notification and signaling.

A SET is a JWT that contains:

• Standard JWT headers: Including the typ header set to secevent+jwt to identify the token as a Security Event Token
• Event claims: The events claim (required) containing one or more security event descriptions, each identified by a unique URI
• Subject identification: Claims like sub, iss, and other identifiers to specify the affected entity
• Timing information: Claims such as iat (issued at) and optional jti (JWT ID) for event tracking
• Event-specific data: Additional claims within each event object providing context-specific details

SETs are signed using JSON Web Signature (JWS) to ensure authenticity and integrity, and may optionally be encrypted using JSON Web Encryption (JWE) for confidentiality when transmitted over untrusted channels.

Profiles within the Shared Signaling Framework

Continuous Access Evaluation Profile (CAEP)

The Continuous Access Evaluation Profile (CAEP) is a profile within the SSF that introduces a dynamic and real-time approach to access evaluation. Unlike traditional static access permissions, CAEP continuously assesses and adapts user access privileges based on contextual factors, enhancing security and user experience. This profile allows for immediate response to changes in user status or permissions, minimizing the risk of unauthorized access.

CAEP enables real-time notifications about changes in security posture, user context, or access conditions, allowing relying parties to make immediate access decisions. By integrating seamlessly with existing OpenID Connect and OAuth 2.0 implementations, CAEP brings a heightened level of adaptability to identity and access management. CAEP event signals can inform runtime authorization decisions made through standards like OpenID AuthZEN, where CAEP provides the security context signals and AuthZEN delivers the fine-grained access evaluation based on that current context. This continuous evaluation approach is particularly valuable for workload and machine identities, including AI agents, where security posture and compliance status may change dynamically during runtime.

CAEP Event Types

CAEP defines several standardized event types that transmitters can send to signal various security-relevant changes:

1. Session Revoked: Indicates that a user's session has been terminated, requiring immediate re-authentication
2. Token Claims Change : Signals that claims within a token have been modified, necessitating token refresh or re-evaluation
3. Credential Change: Notifies that a user's credentials have been updated or modified
4. Assurance Level Change: Indicates a change in the authentication assurance level for a user or session
5. Device Compliance Change: Signals that a device's compliance status has changed (e.g., no longer meets security requirements)
6. Session Established: Indicates that a new session has been established for the user
7. Session Presented: Signals that a session has been presented for access evaluation

These event types enable fine-grained, real-time access control decisions based on continuously evaluated security context.

Risk Incident Sharing and Coordination (RISC)

The Risk Incident Sharing and Coordination (RISC) profile enables organizations to share security and risk signals across organizational boundaries. RISC focuses on coordinated incident response by allowing identity providers and relying parties to exchange information about security events such as account compromises, credential theft, or suspicious activities.

With RISC, when one organization detects a security incident affecting a user, they can immediately notify other organizations that serve the same user, enabling rapid coordinated response. This profile is particularly valuable in federated identity scenarios where users interact with multiple services, as it ensures that security incidents are addressed consistently across all involved parties.

RISC Event Types

RISC defines standardized event types for communicating security incidents and risk signals:

1. Account Credential Change Required: Signals that the account holder should change their credentials due to potential compromise
2. Account Purged: Indicates that an account has been permanently deleted or purged from the system
3. Account Disabled: Notifies that an account has been disabled, typically due to security concerns or policy violations
4. Account Enabled: Signals that a previously disabled account has been re-enabled
5. Identifier Changed: Indicates that a user's identifier (e.g., email address) has been modified
6. Identifier Recycled: Notifies that a previously used identifier has been reassigned to a different account
7. Credential Compromised: Signals that user credentials have been confirmed as compromised and should be immediately invalidated
8. Opt In: Signals that the account identified by the subject opted into RISC event exchanges. The account is in the opt-in state
9. Opt Out Initiated: Signals that the account identified by the subject has initiated the opt-out process for RISC event exchanges. The account is in the opt-out-initiated state
10. Opt Out Cancelled: Signals that the account identified by the subject has cancelled a previously initiated opt-out request for RISC event exchanges. The account returns to the opt-in state
11. Opt Out Effective: Signals that the opt-out process has completed for the account identified by the subject. The account is in the opt-out state and will no longer participate in RISC event exchanges
12. Recovery Activated: Signals that account recovery procedures have been activated for the user
13. Recovery Information Changed: Notifies that recovery information (e.g., recovery email, phone number) has been modified
14. Sessions Revoked: Indicates that one or more user sessions have been revoked across services

These event types facilitate coordinated security incident response across ecosystem participants, ensuring that security threats are addressed comprehensively and consistently.

Key advantages of the Shared Signaling Framework (SSF):

• Real-time Security Communication: SSF enables immediate transmission of security events across organizational boundaries, allowing for rapid response to threats and changes in security posture.
• Standardized Event Format: By using Security Event Tokens (SETs), SSF provides a standardized, interoperable format for security event communication, reducing integration complexity across different systems and vendors.
• Flexible Profile Architecture: The framework's profile-based design allows different security use cases (like CAEP and RISC) to be implemented while sharing common infrastructure, improving efficiency and consistency.
• Enhanced Collaborative Security: SSF facilitates coordinated security responses across multiple organizations and services, particularly valuable in federated identity scenarios where users interact with multiple relying parties.
• Scalability and Compatibility: SSF integrates seamlessly with existing OpenID Connect and OAuth 2.0 implementations, making it scalable and compatible with a wide range of digital ecosystems and applications.
• Reduced Response Time: By enabling real-time event sharing, SSF dramatically reduces the time between security incident detection and coordinated response across all affected systems.

Key challenges of the Shared Signaling Framework (SSF):

• Integration Complexity: Implementing SSF and its profiles may pose challenges due to the need to integrate with existing OpenID Connect and OAuth 2.0 systems, potentially requiring adjustments to infrastructure and event processing workflows.
• Event Handling and Processing: Organizations must develop robust mechanisms to receive, validate, and act upon security events in real-time, which requires careful architectural planning and operational processes.
• Trust Relationship Management: Establishing and maintaining trust relationships between event transmitters and receivers across organizational boundaries requires careful governance and security controls.
• Privacy and Data Protection: Sharing security events across organizations raises privacy concerns, particularly regarding what information is shared and with whom. Compliance with data protection regulations like GDPR must be carefully considered.
• Event Volume and Filtering: As the number of connected systems grows, managing the volume of security events and filtering for relevant signals becomes increasingly important to avoid alert fatigue.

Summary

The Shared Signaling Framework (SSF) aligns seamlessly with the principles of Zero Trust and Zero Standing Privileges / Just-In-Time (JIT) access, forming a cohesive approach to modern cybersecurity. In a Zero Trust model, trust is never assumed, and SSF contributes by enabling real-time sharing of security signals that drive continuous verification and dynamic access decisions based on current security context.

Through its CAEP profile, SSF continuously evaluates and adapts access privileges based on real-time contextual factors, while the RISC profile enables coordinated incident response across organizational boundaries. SSF events can be consumed by Security Information and Event Management (SIEM) systems for correlation and threat detection, and by Security Orchestration, Automation, and Response (SOAR) platforms to trigger automated incident response workflows. This integration creates a robust security framework that combines real-time event sharing with the principle of least privilege, enabling organizations to respond rapidly and collaboratively to security threats.