« He Who is Not Busy Being Born is Busy Dying | Main | Pattern Progress on Don't Trust. And Verify. »



It's sad to see how little the state of the art has moved on in the last few years, and I feel that XACML implementations continue to disappoint.

I said a little while ago that XACML is 'like LDIF without LDAP'. Ferrying stuff around in SAML is an ugly kludge to get around the lack of a standardised PDP interface, and to realise its ambition I feel that the XACML implementation vendors need to get together and crack this. We'll know that we've won when 3rd party application (and service) vendors implement stuff to that interface rather than always baking in their own mini entitlements server (as they did a decade ago with AD/LDAP and authentication).


@Cpswan- I agree that vendors need to work on this, but I don't agree that XACML is LDIF w/o LDAP. For one thing XACML has rule combinations and permutations built into the language that can handle a wide variety of FGA, in addition it can be used on a much wider set of use cases outside of directories.

Agree overall that authZ standards progress has been uninspiring, but I think/hope that XACML will be one that breaks through the quagmire

The comments to this entry are closed.