back to article Analysts brawl over 'death' of markup language

XACML doesn't exactly roll off the tongue or set hearts racing – El Reg has seen fit to mention it one whole time in our web history. But the standard, which reached version 3.0 in January 2013 and is billed as an authentication-enabler “that describes both a policy language and an access control decision request/response …

COMMENTS

This topic is closed for new posts.

I've had a look at XACML about a year ago in the context of a single sign-on solution based on SAML. It does make sense in this context because most products that support SAML tend to support some version or other of XACML. Having said that, if you are considering such technologies, it means you're talking to the likes of IBM, Oracle, CA, etc so whatever you do won't come cheap, which is fine if you are working for a large multi-national that requires all its software to have a blue or red badge on it and cost an arm and a leg.

Now, if you work for an SME, you're probably better off looking at OpenID and OAuth.

3
0
Bronze badge
Coat

You asked....

No. No. n/a. No.

2
0
Unhappy

huh...

never heard of it . . . .

2
0
g e
Silver badge

Re: huh...

seconded

2
1
Paris Hilton

Thirded.

As long as the "A" doesn't stand for "APL" snuck into the "XML" it's all fine by me. What the "C" would be for, is harmless by comparison.

0
0

To my company (some 50k emp) XACML fills s number of business critical needs and we plan to widen the implementation substantially over the years to come.

I believe that Forrester are just trying to get some head lines.

0
0
Silver badge
Joke

So what's Gartner paying for a supporting comment campaign these days?

3
2
Anonymous Coward

there's a list of outraged bloggers

Can I justify my opinions pointing to a list of bloggers?

How hard is to get a list of outraged bloggers for/agains anything?

1
0

OAuth.. easy to use

Try implementing the protocol on a mobile device

2
0
Anonymous Coward

They're both right.

But comparing them is like comparing apples and oranges. They're meant for different audiences, different deployment strategies.

So I guess you can also say they're both wrong in failing to even realise the basics.

I will add that XACML will never go mainstream because of it's use of XML. An arcane, in-efficient, bloated pile of crap there ever was in the tech world.

Now that I've given a preview analysis of these analyst and access control technologies, if you want to read a more in-depth report please pay me lots of money, or for approximately 1/6 of that I'll write you the best access control middle layer there ever was, you won't even need an IT administrator that can read structured text after that. Funny how that works eh? Money in tech that is.

7
5
Silver badge
Facepalm

Re: They're both right.

> XML. An arcane, in-efficient, bloated pile of crap

It's a fracking markup language described in a few pages. Come down your sickly horse, please and stop with the sophomoric name calling.

> I'll write you the best access control middle layer there ever was,

Right. I would show the door real quick and tell you to learn something first.

> Funny how that works eh? Money in tech that is.

No, AC, you are the cancer.

5
7
Anonymous Coward

Re: They're both right.

"> XML. An arcane, in-efficient, bloated pile of crap

It's a fracking markup language described in a few pages."

Fair point, it's an arcane, inefficient, bloated pile of crap described in a few pages.

4
0

This post has been deleted by a moderator

Silver badge
Thumb Up

XML - "overuse in programming frameworks is annoying"

Indeed. in may cases it's used as a vendor lock-in to tie us into their XML-manipulation setup programs that restrict us to a subset of the product's capabiliries, unless we pay extra for "XXX Enterprise manager" or some similarly-named crap.

Which would you rather edit to configure a package?

[global]

option = value

option-2 = fred, joe, , ...

etc.

[section 1]

foo = value

bar = value, value, value ...

Or

<XXXconfig><XXXglobals><option>value</option>

<option2><option2-item>fred</option2-item><option-2 item>joe</option2-item>...

</option2>

etc

</XXXglobals>

<XXXsection1>

etc etc. etc?

And by the way, there probably won't be any CR's in the XML file, it'll be kilobytes of XML all on one line as far as a text editor is concerned, and it'll treat any CRs between the tags as actual data to be fed into the thing that you're trying to configure, thereby creating obscure problems.

Yes, I know you can get a generic XML editor ...

0
1
Gold badge
WTF?

Re: XML - "overuse in programming frameworks is annoying"

....it'll be kilobytes of XML all on one line as far as a text editor is concerned....

There are people who don't use Notepad++ as their default text editor?

2
0
P_0

Re: XML - "overuse in programming frameworks is annoying"

I prefer Sublime to Notepad++;

0
0
FAIL

Re: They're both right.

You are joking about Java right?

1
1
Anonymous Coward

Re: XML - "overuse in programming frameworks is annoying"

"in may cases it's used as a vendor lock-in to tie us into their XML-manipulation setup "

Yo have got to be kidding. XML used as a vendor lock in for config files? It's plain text, simple with free editors to edit (even if it doesn't like \r\n (in which case it's not really XML) you can put them in and then strip them out automatically.

If a vendor wants to lock you in the most basic they could do is use a binary file, or even worse use an encrypted binary file.

With a properly defined schema XML is probably the easiest way of accessing a system, even someone with very limited experience can create applications to communicate with it or manipulate it.

You can even write a simple Excel program in a few minutes that will read and write XML data to a completely proprietary software system using XML via, for instance, web services.

1
0
Silver badge

XML is bloated.

It does have its uses, but "XML Fever" has made XML find its way into stuff where it was never intended to be used.

Then there are those who now eschew XML ... and then instead come up with JSON. Gah!

All of these schemes are basically re-inventing ASN.1 anyway...

1
0
Silver badge

Re: XML is bloated.

ASN.1 - now there's a bloated pile of crap for you.

"Oh, the BER are ambiguous, so we'll have to use the DER. OK, should I send this string as a PrintableString? A UTF8String? A T61String? An IA5String? GeneralString? VisibleString? UniversalString?"

And that's just DER; there are 8 sets of encoding rules (9 if you distinguish between UPER and CPER). Was that really necessary? And DER, which seems to be the most widely used encoding (it's the one I run into most often, e.g. for accursed X.509), is pretty ghastly, what with its bit-level binary format; it's a pain to decode by hand and a single-bit error in the wrong place often makes it impossible even to guess at what the message was supposed to be. (It's reminiscent of SNA and similar bit-twiddling protocol families in that respect.)

Thanks, I'll take XML. At least it's often human-readable in traces, and possible to process and edit with generic text-processing tools.

Of course there's ASN.1 XER (XML Encoding Rules), which combines the worst of both worlds.

(Also, ASN.1 was hardly the first structured data format. Various CSV variants, GML,[1] and S-expressions all preceded it, for example, and XDR is contemporaneous.)

[1] While SGML, the standardized version, only appeared a couple of years after the first ASN.1 standard, its predecessor GML had been around for more than a decade at that point.

1
0
Silver badge
Coat

Forester and Gardner?

I think that's "Forrester" though, like in "Forrest Gump", not "Forester", which is a car...

1
0
Silver badge
Devil

Never heard of it.

Prefer YAFML myself.

1
0

Too many disjoint questions rolled into one. Try this:

Are markup languages dead? They're a way of adding metadata to text, and are often used to describe data structures in human-readable form. We'll be doing that for a long time.

Is XACML dead? No, the markup part simply describes a record of data used for authentication. The semantics are separate. It will evolve, the semantics will evolve. Standards do that, you know.

Is XACML going to be superseded by Oauth? That's a lot like asking whether crescent wrenches will render socket wrenches obsolete. They'll probably both change beyond recognition sooner or later.

Is it important? Insofar as it is a tool, yes. About like vice-grips are important.

As a humor piece this article is quite good, but otherwise worth a yawn.

4
0
Bronze badge
Trollface

@RLWatkins

Let me troll and ask a question with no knowledge of this. Being sockets have damn near replaced adjustable wrenches for more jobs than they haven't (especially when you factor in torque via socket), would you say XACML is the wrench, or the socket? I know nothing about this, but reading the posts here make it sound like XACML is pivotal to some, but not to the majority.

So, are these blog rants about anything other than the death of becoming popular? I totally trolled this, but I really like your wrench vs. socket thing...props :-)

1
0
Bronze badge

Can't beat an adjustable stilson for plumbing, or any situation where a socket has knackered the head or nut.

1
0
Anonymous Coward

XACML is about as important to me...

...as a Rubik's Cube is to a cat.

Let it die.

0
1
Silver badge
Pint

I looked at Version 2.0 once, in early 2005ish.

Found it to be a solution in search of a nonexistent problem. I haven't thought about it since, until now. I've never seen it in use in the wild, either, that I can remember.

I agree with "Let it die." ... in fact I'll buy a round in support of the idea :-)

3
0
xyz
Devil

Gartner...

IBM and Oracle's marketing dept

1
0

Re: Gartner...

Absolutely. Gartner are mostly a paid PR company.

On the XACML subject however, the problem is that trying to externalize authorization is damn hard when SAP/Oracle/IBM WANT their platforms to be the source of policy. It's part of the value of building the massive enterprise ERP platforms. So while XACML fills a need, the need is depressed by the vendor. So either the customers need to force the standard on people or it will never work.

0
0
Gold badge
Meh

So for big companies who do big things yes it is.

For everyone else, not so much.

0
0

Often, these proprietal protocols are just another wheeze to ease coin from the dumb clients.

If you are gullable, go for it-but prepare for the day when you will be peniless and unemployed while the big corps count their money and care....nothing.

0
0

This post has been deleted by a moderator

Anonymous Coward

Forrester Gump versus Chauncey Gartner

Chauncey: As long as the roots are not severed, all is well.

Forrester: Sometimes, I guess there just aren't enough rocks.

1
0
Coffee/keyboard

Re: Forrester Gump versus Chauncey Gartner

Best comment yet!

0
0

"The nice thing about standards is that you have so many to choose from. "

- Andrew S. Tanenbaum

Ok, I'm NOT a security expert - that said, I thought I had at least a passing handle on what is what...but honestly, I did not, before today, know that XACML exists.

Not sure if that says more about me or the markup language....

1
0
This topic is closed for new posts.

Forums