[Openid-specs-mobile-profile] Scoped subjects and the azure breach
ve7jtb at ve7jtb.com
Fri May 27 18:13:41 UTC 2016
At our last Face to Face people asked for a pointer to more information on the compromise of Azure AD.
I did a short blog post that includes a link to the analysis done by the inCommon federation of the issue.
I should point out that Microsoft has not made any public statements about this and all the communications to Universities have been under NDA, so while I believe that the analysis of the problem with not properly scoping subjects is correct and not unique to Azure, I suspect that Microsoft believes that no real breach took place or they would have had to make a public breach statement.
This is mostly background for your information, as it may be relevant to the GSMA’s initial portability proposal.
More information about the Openid-specs-mobile-profile