# Okta Feedback on CAEP Draft ## Credential Change Event - Would like to see a structure similar to the one provided for the subject field in a "credential" field in the event. - For example, credential can be a JSON object that has a credential type field, and other fields depending upon the type of credential being used - For example OTP is not a credential type right now - How can we have a registry of credential types? We should be able to agree on additional credential types without having to change the spec - We need extensibility in the credentials schema - We should look at [AMR](https://datatracker.ietf.org/doc/html/rfc8176) for OAuth. For example, [EAP for OpenID](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html) extends the ACR values - Privacy issues with credential change event? - PII such as phone number may end up being shared unnecessarily - Legal agreements governing Receiver registration may be able to address this issue ## Assurance Level Change Event - Previous assurance level may not be known to the Transmitter - Previous level field could therefore be optional - We should add a reason code to the event to indicate why the assurance level has changed - In a federated model, a relying party may only have "Federated Assurane Level" (FAL) and not "aal" (Authenticator Assurance Level) - We should expand the set of possible values for assurance level - We should provide extensibility, the way the event is specified right now seems too restrictive - Can we work out an end-to-end use-case where a session begins with an OIDC token with a certain assurance level, and then changes over time. How would you communicate such changes assuming the change originates at a device management service or an IdP or a RP