Hi, this is Felix Gaehtgens again, posting on Gerry’s blog. The Dutch government is thinking about adopting XACML as a standard, and until September 4, 2011 there is an open process to send in comments, which I encourage every Dutch speaker with an interest in XACML to do.
The Dutch cabinet has decided in 2007 to implement an action plan for the use of open standards and open software in government. A “Standardisation College” has been formed and tasked with looking at open standards and prescribing their use within the Dutch administration (“overheid”). This College maintains a list of standards on a “comply or explain” list. For future projects this means that tendering vendors and architects must either comply with the standards on the list, or give an explanation on why this cannot or should not be done.
Currently, it is being studied whether XACML should be put on the “comply or explain” list. The decision process is open and well defined, and works like this:
1. An expert group has met and compiled a document with their recommendation.
2. Following the publishing of this expert group recommendation document, there is now call to the public for comments and additional advice. This process closes on Sep 4, 2011.
3. The expert group recommendation and all of the public comments and reactions will be passed to the Standardisation College immediately after the Sep 4 deadline has passed.
4. The Standardisation College will then make a decision on whether to put XACML on the “comply or explain” list or not.
In short, the expert group met and looked at two standards: XACML and WS-Policy. Their recommendation was not to include WS-Policy in the “comply or explain” list. On XACML, the expert group recommended not to include XACML in the “comply or explain” list yet because the expert group thought that not enough experience existed with the standard, and they thought it was too early at this point. However, they stated that XACML is a very promising standard, and hence recommended to look at the issue again in one year.
I encourage every Dutch speaker with an interest in XACML to read the documents of the expert group, and to fill in the template for the public comments, and send it in before the deadline. I intend to do the same. In fact, there are several parts of the document which – albeit excellently written – may need some further clarification. Since the expert group admitted that they do not have much experience with XACML in the Netherlands yet – perhaps experience made in other locations and environments might flow into the process. I therefore encourage everybody who speaks Dutch and has some experience in externalising authorisation with XACML to send in their comments.
In the document, it is written that Centric (the government organisation tasked with the standardisation) is looking to take identity management, authN and authZ out of the applications and have them provided by a central facility. XACML is the ideal standard to do this. I believe that the choice is actually quite straight-forward. When authN (authentication), specifically federated authentication was being adopted, there was initially a bit of a “war of standards” between SAML 1, Liberty Alliance ID-FF, and WS-Federation. SAML 2.0 merged features of SAML 1 and Liberty Alliance ID-FF together into SAML 2.0. However IBM and Microsoft were still pushing for WS-Federation and initially refused to support SAML 2.0. Finally, SAML 2.0 came out on top, and even Microsoft fully support the standard natively.
With XACML, it is much easier. The standard is straight-forward and addresses externalised authorisation in a flexible, versatile and pervasive manner. There really is no contender. This is why it seems natural to me that XACML should be on the “comply or explain” list if authZ is really to be externalised.
The expert group rightfully states that there are many things to be thought of when externalising authorisation. They say for example that authZ between organisations will be a very interesting trend. The expert group recommends that perhaps a specific profile for using XACML could be defined. This is a very good idea. However, the enemy of the good is always the better. If you want to externalise authorisation, then you really need to start doing it rather sooner than later – because it will be more work retro-fitting externalised authZ into applications later. Hence my recommendation would be to start as early as you can. XACML is very flexible, and once you have managed to bring at least your new applications into line you have something to work with that gives you a lot of flexibility.
The expert group also started with a recommendation for an architecture but states that more work needs to go into this, saying that it would be a good starting point for a discussion. It definitely is a good starting point – I believe it is important however to point out again that XACML deployments give a lot of flexibility when it comes to the integration of applications – from coarse-grained to fine-grained. Several architecture models could be given as a suggestion, and there are many “good practises” available from existing implementations already (such as from our customers). But is all of this already necessary before a decision can be made to include XACML on the “comply or explain” list? There is the danger of “putting the cart in front of the horse” by saying that everything must be defined before a recommendation can be given which standards to use for externalising authZ. Why not just say yes, we want to externalise authZ, hence we’ll use the standard for doing this. As applications are becoming prepared to support XACML, a whole universe of possibilities opens up for providing more advanced authorisation services within and between organisations. But why wait with preparing applications to support this infrastructure? Waiting will only mean that there are more hard-wired non-standardised applications that will make it more difficult in the long run.
Perhaps this is why the expert group – admitting that there is not much experience with the standard – think that the time for XACML to be put on the “comply or explain” list may not yet be ripe.
I am not a real “Dutch speaker” although I can understand (depending on who is talking) and read it quite well after being exposed to a lot of the language in Belgium. I can speak it somewhat but it sounds “grappig”, and writing for me is very “moehelijk”. But I’ll do my best and have my Dutch friends look over my comments.
So if you speak Dutch, and have opinions/experience about XACML, please send in your comments so that the Standardisation College has the complete picture available when making their decision.