OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  Publicizing XACML & ABAC

    Posted 05-11-2017 22:25
    Hi, To follow up on today's call, here is what I have been doing to spread the good word on ABAC and XACML. Update the XACML wikipedia page:  https://en.wikipedia.org/wiki/XACML Create the ALFA wikipedia page:  https://en.wikipedia.org/wiki/ALFA_(XACML) Create the ABAC page (would you believe it, it did not exist until 2 years ago):  https://en.wikipedia.org/wiki/Attribute-Based_Access_Control - you'll notice there are issues with the page that need fixing (trustworthiness) Link between OAuth and XACML Maintain the xacml tag on Stackoverflow ( http://stackoverflow.com/questions/tagged/xacml ) Speak at local IAM events e.g. OWASP I've also been monitoring authorization-related questions on Stackoverflow as well as other Stack Exchange sites e.g.  https://softwareengineering.stackexchange.com and  https://security.stackexchange.com There is still a long way to go. Most developers do not know how to implement authorization. At best they have heard of RBAC but often they'll try to implement it themselves rather than use a library. There are a few things we could do: Continue increasing the knowledge base on ABAC online (pretty much what I have been doing) Collaborate with other entities e.g. OWASP, NIST, OASIS (the relevant TCs), other standards bodies e.g. SCIM, OAuth2... We could deliver a cheat sheet for OWASP . Take part in another XACML interop? Be at another security conference? What else? Thanks, David.


  • 2.  Re: [xacml] Publicizing XACML & ABAC

    Posted 05-11-2017 23:12
    Sorry I missed the meeting today--seems like a good discussion.  My dream for XACML is that I could write policies in common pseudo-code style:  just if/then/else logic with a bit of paren to disambiguate. Something even a lawyer can use, if how I think of it.  Martin On Thu, May 11, 2017 at 6:24 PM, David Brossard < david.brossard@axiomatics.com > wrote: Hi, To follow up on today's call, here is what I have been doing to spread the good word on ABAC and XACML. Update the XACML wikipedia page:  https://en.wikipedia. org/wiki/XACML Create the ALFA wikipedia page:  https://en.wikipedia. org/wiki/ALFA_(XACML) Create the ABAC page (would you believe it, it did not exist until 2 years ago):  https://en.wikipedia. org/wiki/Attribute-Based_ Access_Control - you'll notice there are issues with the page that need fixing (trustworthiness) Link between OAuth and XACML Maintain the xacml tag on Stackoverflow ( http://stackoverflow.com/ questions/tagged/xacml ) Speak at local IAM events e.g. OWASP I've also been monitoring authorization-related questions on Stackoverflow as well as other Stack Exchange sites e.g.  https:// softwareengineering. stackexchange.com and  https://security. stackexchange.com There is still a long way to go. Most developers do not know how to implement authorization. At best they have heard of RBAC but often they'll try to implement it themselves rather than use a library. There are a few things we could do: Continue increasing the knowledge base on ABAC online (pretty much what I have been doing) Collaborate with other entities e.g. OWASP, NIST, OASIS (the relevant TCs), other standards bodies e.g. SCIM, OAuth2... We could deliver a cheat sheet for OWASP . Take part in another XACML interop? Be at another security conference? What else? Thanks, David. -- Martin F Smith, Principal BFC Consulting, LLC McLean, Va 22102 703 506-0159 703 389-3224 mobile