openid · iamseanodentity · Feb 17, 2026 · Dec 29, 2025 · Dec 29, 2025 · Jan 5, 2026
@@ -154,118 +154,186 @@ transmitter APIs, as per [RFC6125]{{RFC6125}}.
 
 ## CAEP specification version
 
-This specification supports CAEP {{CAEP}} events from OpenID Continuous Access Evaluation Profile 1.0.
+This specification supports CAEP {{CAEP}} events from OpenID Continuous Access
+Evaluation Profile 1.0.
 
 ## Transmitters {#common-transmitters}
 
-Transmitters MUST implement the following features:
+Transmitters MUST implement the following features.
 
 ### Spec Version {#spec-version}
 
-The Transmitter Configuration Metadata MUST have a `spec_version` field, and its
-value MUST be `1_0` or greater
+The Transmitter Configuration Metadata MUST include a `spec_version` field, and
+its value MUST be `1_0` or greater.
 
 ### Delivery Method {#delivery-method}
 
 The Transmitter Configuration Metadata MUST include the
 `delivery_methods_supported` field.
 
-### JWKS URI {#jwks-uri}
+### JWKS URI {#transmitter-jwks-uri}
 
 The Transmitter Configuration Metadata MUST include the `jwks_uri` field, and
-its value MUST provide the current signing key of the Transmitter.
+upon resolution, its value MUST provide the current signing key(s) of the
+Transmitter.
 
 ### Configuration Endpoint {#configuration-endpoint}
 
 The Transmitter Configuration Metadata MUST include the `configuration_endpoint`
-field. The specified endpoint MUST support the `POST` method in order to be able
-to create a stream.
+field as defined in {{SSF}} Section 7.1.
+
+The endpoint identified by `configuration_endpoint` is used to perform the
+Create Stream operation as defined in {{SSF}} Section 8.1.1.
 
 ### Status Endpoint {#status-endpoint}
 
 The Transmitter Configuration Metadata MUST include the `status_endpoint` field.
-The specified endpoint MUST support the `GET` and `POST` methods in order to get
-and update the stream status respectively. The Transmitter MUST support the
-following values in an Update Stream Status request:
-
-* `enabled`
-* `paused`
-* `disabled`
 
-For streams that are `paused`, the Transmitter MUST specify (offline) the
-resource constraints on how many events it can keep, or for how long. The way a
-Transmitter specifies this information is outside the scope of the SSF spec.
+The endpoint identified by status_endpoint MUST support the Read Stream Status
+(HTTP GET) operation as defined in {{SSF}} Sections 8.1.2.1.
 
 ### Verification Endpoint {#verification-endpoint}
 
 The Transmitter Configuration Metadata MUST include the `verification_endpoint`
-field. The specified endpoint MUST provide a way to request verification events
-to be sent.
+field.
+
+The endpoint identified by `verification_endpoint` MUST support Stream
+Verification as defined in {{SSF}} Section 8.1.4.
 
 ### Authorization Schemes
 
 The Transmitter Configuration Metadata MUST include the `authorization_schemes`
-field and its value MUST include the value
+field and its value MUST include the value:
 
-~~~json
+```json
 {
-    "spec_urn": "urn:ietf:rfc:6749"
+  "spec_urn": "urn:ietf:rfc:6749"
 }
-~~~
+```
 
-### Streams {#common-stream-configuration}
+### Streams {#transmitter-common-stream-configuration}
 
-In all streams created by the Transmitter, the following MUST be true:
+Transmitters MUST support all required properties and API contracts defined by
+{{SSF}} Stream Management API operations, in addition to the requirements
+specified in this section.
 
-#### Delivery {#common-delivery}
+For all Stream Management API requests received by the Transmitter, the
+following MUST be true.
 
-A Transmitter MUST be able to accept a Create Stream request that includes
-either of the following delivery methods:
+#### Delivery {#transmitter-common-delivery}
 
-* urn:ietf:rfc:8935 (Push)
-* urn:ietf:rfc:8936 (Poll)
+The Transmitter MUST support Create Stream requests whose `delivery.method` is
+set to one of the following values:
 
-The `delivery` field MUST be present in the Configuration of any Stream
-generated by the Transmitter, and its value MUST include one of the two delivery
-methods listed above.
+* `urn:ietf:rfc:8935` (Push)
+* `urn:ietf:rfc:8936` (Poll)
 
-#### Stream Control
+When a Receiver makes a Create Stream request as defined in {{SSF}} Section
+8.1.1.1 with valid authorization, the Transmitter MUST process the request as
+specified in {{SSF}}.
+
+Upon successful creation of a Stream, the Transmitter MUST include a `delivery`
+field in the resulting Stream Configuration, and its `method` value MUST be one
+of the delivery methods listed above.
 
-The following Stream Configuration API Methods MUST be supported:
+#### Stream Control
 
-**Creating a Stream**
-: Receivers MUST be able to create a Stream with the Transmitter using valid
-authorization with the Transmitter. The Transmitter MAY support multiple streams
-with the same Receiver
+**Create Stream**
+: The Transmitter MUST support the Create Stream operation as defined in
+{{SSF}} Section 8.1.1.1 when invoked by a Receiver with valid authorization.
 
-**Reading Stream Configuration**
-: A Receiver MUST be able to obtain current Stream configuration from the
-Transmitter by providing a valid authorization
+**Read Stream Configuration**
+: The Transmitter MUST support the Read Stream Configuration operation as
+defined in {{SSF}} Section 8.1.1.2 when invoked by a Receiver with valid
+authorization.
 
-**Getting the Stream Status**
-: A Receiver MUST be able to obtain the current Stream status from the
-Transmitter by providing a valid authorization
+**Get Stream Status**
+: The Transmitter MUST support the Read Stream Status operation as defined in
+{{SSF}} Section 8.1.2.1 when invoked by a Receiver with valid authorization.
 
 **Stream Verification**
-: A Receiver MUST be able to verify the liveness of the Stream by requesting
-that the Transmitter send it a Stream Verification event by providing a valid
-authorization
+: The Transmitter MUST support Stream Verification as defined in
+{{SSF}} Section 8.1.4.2 and MUST generate a Verification Event as defined in
+{{SSF}} Section 8.1.4.1 when requested by a Receiver with valid authorization.
+
+**Deleting a Stream**
+: The Transmitter MUST support the Delete Stream operation as defined in
+{{SSF}} Section 8.1.1.5 when invoked by a Receiver with valid authorization.
 
 ## Receivers {#common-receivers}
 
-Receivers MUST implement the following features:
+Receivers MUST implement the following features.
 
 ### Delivery Methods {#common-receiver-delivery}
 
-Receivers MUST be able to accept events using the Push-Based Security Event
-Token (SET) Delivery Using HTTP {{RFC8935}} specification and the Poll-Based
-Security Event Token (SET) Delivery Using HTTP {{RFC8936}} specification.
+Receivers MUST be able to accept events using any one of the two delivery
+methods:
+
+* Push-Based Security Event Token (SET) Delivery Using HTTP {{RFC8935}}
+* Poll-Based Security Event Token (SET) Delivery Using HTTP {{RFC8936}}
+
+### JWKS URI {#receiver-jwks-uri}
+
+The Receiver MUST obtain the Transmitter’s signing key(s) using the `jwks_uri`
+from the Transmitter Configuration Metadata, as defined in {{SSF}} Section 7.1.
+
+### Authorization Schemes {#receivers-authorization-schemes}
+
+The Receiver MUST use OAuth 2.0 {{RFC6749}} when making Stream Management API
+requests to the Transmitter.
 
 ### Implicitly Added Subjects {#common-receiver-subjects}
 
-Receivers MUST assume that all subjects are implicitly included in a Stream,
+The Receiver MUST assume that all subjects are implicitly included in a Stream,
 without any `AddSubject` method invocations.
 
+### Streams {#receiver-common-stream-configuration}
+
+Receivers MUST support all required properties and API contracts defined by
+{{SSF}} Stream Management API operations, in addition to the requirements
+specified in this section.
+
+For Stream Management API requests initiated by the Receiver, and for Streams
+created by the Receiver, the following MUST be true.
+
+#### Delivery {#common-delivery}
+
+When creating a Stream using the Create Stream operation defined in {{SSF}}
+Section 8.1.1.1, the Receiver MUST include a `delivery` object whose `method`
+value is one of the following, or omit the `delivery` object.
+
+* `urn:ietf:rfc:8935` (Push)
+* `urn:ietf:rfc:8936` (Poll)
+
+If the Create Stream request does not include the `delivery` property, it is
+assumed to be delivery method of `urn:ietf:rfc:8936` (Poll), as
+defined in {{SSF}}.
+
+#### Stream Control {#receivers-stream-control}
+
+The following Stream Management operations MUST be supported by the Receiver.
+
+**Create Stream**
+: The Receiver MUST be able to invoke the Create Stream operation as defined in
+{{SSF}} Section 8.1.1.1 using valid authorization.
+
+**Read Stream Configuration**
+: The Receiver MUST be able to invoke the Read Stream Configuration operation as
+defined in {{SSF}} Section 8.1.1.2 using valid authorization.
+
+**Get Stream Status**
+: The Receiver MUST be able to invoke the Read Stream Status operation as
+defined in {{SSF}} Section 8.1.2.1 using valid authorization.
+
+**Stream Verification**
+: The Receiver MUST be able to initiate Stream Verification as defined in
+{{SSF}} Section 8.1.4.2 using valid authorization, and MUST be able to process
+the resulting Verification Event as defined in {{SSF}} Section 8.1.4.1.
+
+**Deleting a Stream**
+: The Receiver MUST be able to invoke the Delete Stream operation as defined in
+{{SSF}} Section 8.1.1.5 using valid authorization.
+
 ## Event Subjects {#common-event-subjects}
 
 The following subject identifier formats from "Subject Identifiers for Security