XACML doesn't exactly roll off the tongue or set hearts racing – El Reg has seen fit to mention it one whole time in our web history. But the standard, which reached version 3.0 in January 2013 and is billed as an authentication-enabler “that describes both a policy language and an access control decision request/response …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Sunday 12th May 2013 20:34 GMT Bruno Girin

I've had a look at XACML about a year ago in the context of a single sign-on solution based on SAML. It does make sense in this context because most products that support SAML tend to support some version or other of XACML. Having said that, if you are considering such technologies, it means you're talking to the likes of IBM, Oracle, CA, etc so whatever you do won't come cheap, which is fine if you are working for a large multi-national that requires all its software to have a blue or red badge on it and cost an arm and a leg.

Now, if you work for an SME, you're probably better off looking at OpenID and OAuth.

3 0
Sunday 12th May 2013 20:43 GMT Terry Cloth

You asked....

No. No. n/a. No.

2 0
Sunday 12th May 2013 21:09 GMT cookieMonster

huh...

never heard of it . . . .

2 0
1. Monday 13th May 2013 08:38 GMT g e
  
  Re: huh...
  
  seconded
  
  2 1
2. Monday 13th May 2013 17:52 GMT Marvin the Martian
  
  Thirded.
  
  As long as the "A" doesn't stand for "APL" snuck into the "XML" it's all fine by me. What the "C" would be for, is harmless by comparison.
  
  0 0
Sunday 12th May 2013 21:23 GMT Angron

To my company (some 50k emp) XACML fills s number of business critical needs and we plan to widen the implementation substantially over the years to come.

I believe that Forrester are just trying to get some head lines.

0 0
1. Sunday 12th May 2013 22:13 GMT Don Jefe
  
  So what's Gartner paying for a supporting comment campaign these days?
  
  3 2
Sunday 12th May 2013 21:32 GMT Anonymous Coward

there's a list of outraged bloggers

Can I justify my opinions pointing to a list of bloggers?

How hard is to get a list of outraged bloggers for/agains anything?

1 0
Sunday 12th May 2013 21:57 GMT James 47

OAuth.. easy to use

Try implementing the protocol on a mobile device

2 0
Sunday 12th May 2013 22:23 GMT Anonymous Coward

They're both right.

But comparing them is like comparing apples and oranges. They're meant for different audiences, different deployment strategies.

So I guess you can also say they're both wrong in failing to even realise the basics.

I will add that XACML will never go mainstream because of it's use of XML. An arcane, in-efficient, bloated pile of crap there ever was in the tech world.

Now that I've given a preview analysis of these analyst and access control technologies, if you want to read a more in-depth report please pay me lots of money, or for approximately 1/6 of that I'll write you the best access control middle layer there ever was, you won't even need an IT administrator that can read structured text after that. Funny how that works eh? Money in tech that is.

7 5
1. Sunday 12th May 2013 22:41 GMT Destroy All Monsters
  
  Re: They're both right.
  
  > XML. An arcane, in-efficient, bloated pile of crap
  
  It's a fracking markup language described in a few pages. Come down your sickly horse, please and stop with the sophomoric name calling.
  
  > I'll write you the best access control middle layer there ever was,
  
  Right. I would show the door real quick and tell you to learn something first.
  
  > Funny how that works eh? Money in tech that is.
  
  No, AC, you are the cancer.
  
  5 7
  1. Monday 13th May 2013 08:07 GMT Anonymous Coward
    
    Re: They're both right.
    
    "> XML. An arcane, in-efficient, bloated pile of crap
    
    It's a fracking markup language described in a few pages."
    
    Fair point, it's an arcane, inefficient, bloated pile of crap described in a few pages.
    
    4 0
2. Tuesday 14th May 2013 20:51 GMT Daniel B.
  
  XML is bloated.
  
  It does have its uses, but "XML Fever" has made XML find its way into stuff where it was never intended to be used.
  
  Then there are those who now eschew XML ... and then instead come up with JSON. Gah!
  
  All of these schemes are basically re-inventing ASN.1 anyway...
  
  1 0
  1. Wednesday 15th May 2013 15:50 GMT Michael Wojcik
    
    Re: XML is bloated.
    
    ASN.1 - now there's a bloated pile of crap for you.
    
    "Oh, the BER are ambiguous, so we'll have to use the DER. OK, should I send this string as a PrintableString? A UTF8String? A T61String? An IA5String? GeneralString? VisibleString? UniversalString?"
    
    And that's just DER; there are 8 sets of encoding rules (9 if you distinguish between UPER and CPER). Was that really necessary? And DER, which seems to be the most widely used encoding (it's the one I run into most often, e.g. for accursed X.509), is pretty ghastly, what with its bit-level binary format; it's a pain to decode by hand and a single-bit error in the wrong place often makes it impossible even to guess at what the message was supposed to be. (It's reminiscent of SNA and similar bit-twiddling protocol families in that respect.)
    
    Thanks, I'll take XML. At least it's often human-readable in traces, and possible to process and edit with generic text-processing tools.
    
    Of course there's ASN.1 XER (XML Encoding Rules), which combines the worst of both worlds.
    
    (Also, ASN.1 was hardly the first structured data format. Various CSV variants, GML,[1] and S-expressions all preceded it, for example, and XDR is contemporaneous.)
    
    [1] While SGML, the standardized version, only appeared a couple of years after the first ASN.1 standard, its predecessor GML had been around for more than a decade at that point.
    
    1 0
Sunday 12th May 2013 22:37 GMT Destroy All Monsters

Forester and Gardner?

I think that's "Forrester" though, like in "Forrest Gump", not "Forester", which is a car...

1 0
Sunday 12th May 2013 22:40 GMT Mikel

Never heard of it.

Prefer YAFML myself.

1 0
Sunday 12th May 2013 22:41 GMT RLWatkins

Too many disjoint questions rolled into one. Try this:

Are markup languages dead? They're a way of adding metadata to text, and are often used to describe data structures in human-readable form. We'll be doing that for a long time.

Is XACML dead? No, the markup part simply describes a record of data used for authentication. The semantics are separate. It will evolve, the semantics will evolve. Standards do that, you know.

Is XACML going to be superseded by Oauth? That's a lot like asking whether crescent wrenches will render socket wrenches obsolete. They'll probably both change beyond recognition sooner or later.

Is it important? Insofar as it is a tool, yes. About like vice-grips are important.

As a humor piece this article is quite good, but otherwise worth a yawn.

4 0
1. Monday 13th May 2013 03:20 GMT Anonymous Coward
  
  @RLWatkins
  
  Let me troll and ask a question with no knowledge of this. Being sockets have damn near replaced adjustable wrenches for more jobs than they haven't (especially when you factor in torque via socket), would you say XACML is the wrench, or the socket? I know nothing about this, but reading the posts here make it sound like XACML is pivotal to some, but not to the majority.
  
  So, are these blog rants about anything other than the death of becoming popular? I totally trolled this, but I really like your wrench vs. socket thing...props :-)
  
  1 0
  1. Monday 13th May 2013 11:42 GMT Ben Bonsall
    
    Can't beat an adjustable stilson for plumbing, or any situation where a socket has knackered the head or nut.
    
    1 0
Sunday 12th May 2013 22:47 GMT Anonymous Coward

XACML is about as important to me...

...as a Rubik's Cube is to a cat.

Let it die.

0 1
Monday 13th May 2013 00:13 GMT jake

I looked at Version 2.0 once, in early 2005ish.

Found it to be a solution in search of a nonexistent problem. I haven't thought about it since, until now. I've never seen it in use in the wild, either, that I can remember.

I agree with "Let it die." ... in fact I'll buy a round in support of the idea :-)

3 0
Monday 13th May 2013 02:16 GMT xyz

Gartner...

IBM and Oracle's marketing dept

1 0
1. Monday 13th May 2013 07:31 GMT SecurityPedant
  
  Re: Gartner...
  
  Absolutely. Gartner are mostly a paid PR company.
  
  On the XACML subject however, the problem is that trying to externalize authorization is damn hard when SAP/Oracle/IBM WANT their platforms to be the source of policy. It's part of the value of building the massive enterprise ERP platforms. So while XACML fills a need, the need is depressed by the vendor. So either the customers need to force the standard on people or it will never work.
  
  0 0
Monday 13th May 2013 06:53 GMT John Smith 19

So for big companies who do big things yes it is.

For everyone else, not so much.

0 0
Monday 13th May 2013 09:15 GMT PassingCloud

Often, these proprietal protocols are just another wheeze to ease coin from the dumb clients.

If you are gullable, go for it-but prepare for the day when you will be peniless and unemployed while the big corps count their money and care....nothing.

0 0
Monday 13th May 2013 12:28 GMT Anonymous Coward

Forrester Gump versus Chauncey Gartner

Chauncey: As long as the roots are not severed, all is well.

Forrester: Sometimes, I guess there just aren't enough rocks.

1 0
1. Monday 13th May 2013 18:17 GMT Joe Drunk
  
  Re: Forrester Gump versus Chauncey Gartner
  
  Best comment yet!
  
  0 0
This post has been deleted by its author