[Openid-specs-mobile-profile] Scoped subjects and the azure breach

John Bradley ve7jtb at ve7jtb.com
Fri May 27 18:13:41 UTC 2016

At our last Face to Face people asked for a pointer to more information on the compromise of Azure AD.

I did a short blog post that includes a link to the analysis done by the inCommon federation of the issue.

I should point out that Microsoft has not made any public statements about this and all the communications to Universities have been under NDA, so while I believe that the analysis of the problem with not properly scoping subjects is correct and not unique to Azure, I suspect that Microsoft believes that no real breach took place or they would have had to make a public breach statement.

This is mostly background for your information, as it may be relevant to the GSMA’s initial portability proposal.

John B.

More information about the Openid-specs-mobile-profile mailing list