back to article Analysts brawl over 'death' of markup language

XACML doesn't exactly roll off the tongue or set hearts racing – El Reg has seen fit to mention it one whole time in our web history. But the standard, which reached version 3.0 in January 2013 and is billed as an authentication-enabler “that describes both a policy language and an access control decision request/response …

COMMENTS

This topic is closed for new posts.
  1. Bruno Girin

    I've had a look at XACML about a year ago in the context of a single sign-on solution based on SAML. It does make sense in this context because most products that support SAML tend to support some version or other of XACML. Having said that, if you are considering such technologies, it means you're talking to the likes of IBM, Oracle, CA, etc so whatever you do won't come cheap, which is fine if you are working for a large multi-national that requires all its software to have a blue or red badge on it and cost an arm and a leg.

    Now, if you work for an SME, you're probably better off looking at OpenID and OAuth.

  2. Terry Cloth
    Coat

    You asked....

    No. No. n/a. No.

  3. cookieMonster Silver badge
    Unhappy

    huh...

    never heard of it . . . .

    1. g e

      Re: huh...

      seconded

    2. Marvin the Martian
      Paris Hilton

      Thirded.

      As long as the "A" doesn't stand for "APL" snuck into the "XML" it's all fine by me. What the "C" would be for, is harmless by comparison.

  4. Angron

    To my company (some 50k emp) XACML fills s number of business critical needs and we plan to widen the implementation substantially over the years to come.

    I believe that Forrester are just trying to get some head lines.

    1. Don Jefe
      Joke

      So what's Gartner paying for a supporting comment campaign these days?

  5. Anonymous Coward
    Anonymous Coward

    there's a list of outraged bloggers

    Can I justify my opinions pointing to a list of bloggers?

    How hard is to get a list of outraged bloggers for/agains anything?

  6. James 47

    OAuth.. easy to use

    Try implementing the protocol on a mobile device

  7. Anonymous Coward
    Anonymous Coward

    They're both right.

    But comparing them is like comparing apples and oranges. They're meant for different audiences, different deployment strategies.

    So I guess you can also say they're both wrong in failing to even realise the basics.

    I will add that XACML will never go mainstream because of it's use of XML. An arcane, in-efficient, bloated pile of crap there ever was in the tech world.

    Now that I've given a preview analysis of these analyst and access control technologies, if you want to read a more in-depth report please pay me lots of money, or for approximately 1/6 of that I'll write you the best access control middle layer there ever was, you won't even need an IT administrator that can read structured text after that. Funny how that works eh? Money in tech that is.

    1. Destroy All Monsters Silver badge
      Facepalm

      Re: They're both right.

      > XML. An arcane, in-efficient, bloated pile of crap

      It's a fracking markup language described in a few pages. Come down your sickly horse, please and stop with the sophomoric name calling.

      > I'll write you the best access control middle layer there ever was,

      Right. I would show the door real quick and tell you to learn something first.

      > Funny how that works eh? Money in tech that is.

      No, AC, you are the cancer.

      1. Anonymous Coward
        Anonymous Coward

        Re: They're both right.

        "> XML. An arcane, in-efficient, bloated pile of crap

        It's a fracking markup language described in a few pages."

        Fair point, it's an arcane, inefficient, bloated pile of crap described in a few pages.

    2. Daniel B.

      XML is bloated.

      It does have its uses, but "XML Fever" has made XML find its way into stuff where it was never intended to be used.

      Then there are those who now eschew XML ... and then instead come up with JSON. Gah!

      All of these schemes are basically re-inventing ASN.1 anyway...

      1. Michael Wojcik Silver badge

        Re: XML is bloated.

        ASN.1 - now there's a bloated pile of crap for you.

        "Oh, the BER are ambiguous, so we'll have to use the DER. OK, should I send this string as a PrintableString? A UTF8String? A T61String? An IA5String? GeneralString? VisibleString? UniversalString?"

        And that's just DER; there are 8 sets of encoding rules (9 if you distinguish between UPER and CPER). Was that really necessary? And DER, which seems to be the most widely used encoding (it's the one I run into most often, e.g. for accursed X.509), is pretty ghastly, what with its bit-level binary format; it's a pain to decode by hand and a single-bit error in the wrong place often makes it impossible even to guess at what the message was supposed to be. (It's reminiscent of SNA and similar bit-twiddling protocol families in that respect.)

        Thanks, I'll take XML. At least it's often human-readable in traces, and possible to process and edit with generic text-processing tools.

        Of course there's ASN.1 XER (XML Encoding Rules), which combines the worst of both worlds.

        (Also, ASN.1 was hardly the first structured data format. Various CSV variants, GML,[1] and S-expressions all preceded it, for example, and XDR is contemporaneous.)

        [1] While SGML, the standardized version, only appeared a couple of years after the first ASN.1 standard, its predecessor GML had been around for more than a decade at that point.

  8. Destroy All Monsters Silver badge
    Coat

    Forester and Gardner?

    I think that's "Forrester" though, like in "Forrest Gump", not "Forester", which is a car...

  9. Mikel
    Devil

    Never heard of it.

    Prefer YAFML myself.

  10. RLWatkins

    Too many disjoint questions rolled into one. Try this:

    Are markup languages dead? They're a way of adding metadata to text, and are often used to describe data structures in human-readable form. We'll be doing that for a long time.

    Is XACML dead? No, the markup part simply describes a record of data used for authentication. The semantics are separate. It will evolve, the semantics will evolve. Standards do that, you know.

    Is XACML going to be superseded by Oauth? That's a lot like asking whether crescent wrenches will render socket wrenches obsolete. They'll probably both change beyond recognition sooner or later.

    Is it important? Insofar as it is a tool, yes. About like vice-grips are important.

    As a humor piece this article is quite good, but otherwise worth a yawn.

    1. Anonymous Coward
      Trollface

      @RLWatkins

      Let me troll and ask a question with no knowledge of this. Being sockets have damn near replaced adjustable wrenches for more jobs than they haven't (especially when you factor in torque via socket), would you say XACML is the wrench, or the socket? I know nothing about this, but reading the posts here make it sound like XACML is pivotal to some, but not to the majority.

      So, are these blog rants about anything other than the death of becoming popular? I totally trolled this, but I really like your wrench vs. socket thing...props :-)

      1. Ben Bonsall

        Can't beat an adjustable stilson for plumbing, or any situation where a socket has knackered the head or nut.

  11. Anonymous Coward
    Anonymous Coward

    XACML is about as important to me...

    ...as a Rubik's Cube is to a cat.

    Let it die.

  12. jake Silver badge
    Pint

    I looked at Version 2.0 once, in early 2005ish.

    Found it to be a solution in search of a nonexistent problem. I haven't thought about it since, until now. I've never seen it in use in the wild, either, that I can remember.

    I agree with "Let it die." ... in fact I'll buy a round in support of the idea :-)

  13. xyz Silver badge
    Devil

    Gartner...

    IBM and Oracle's marketing dept

    1. SecurityPedant

      Re: Gartner...

      Absolutely. Gartner are mostly a paid PR company.

      On the XACML subject however, the problem is that trying to externalize authorization is damn hard when SAP/Oracle/IBM WANT their platforms to be the source of policy. It's part of the value of building the massive enterprise ERP platforms. So while XACML fills a need, the need is depressed by the vendor. So either the customers need to force the standard on people or it will never work.

  14. John Smith 19 Gold badge
    Meh

    So for big companies who do big things yes it is.

    For everyone else, not so much.

  15. PassingCloud

    Often, these proprietal protocols are just another wheeze to ease coin from the dumb clients.

    If you are gullable, go for it-but prepare for the day when you will be peniless and unemployed while the big corps count their money and care....nothing.

  16. Anonymous Coward
    Anonymous Coward

    Forrester Gump versus Chauncey Gartner

    Chauncey: As long as the roots are not severed, all is well.

    Forrester: Sometimes, I guess there just aren't enough rocks.

    1. Joe Drunk
      Coffee/keyboard

      Re: Forrester Gump versus Chauncey Gartner

      Best comment yet!

  17. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like