At the recent RSA conference, five organizations participated in an interop for the eXtensible Access Control Markup Language (XACML), based on version 3.0 of the XACML core spec and the Intellectual Property Control profile that is currently being defined. The interop was a big success, but its significance goes beyond the conference. So far, two organizations have formally attested conformance to XACML 3.0, but the interop featured five parties. This makes it likely that a third attestation is very close, and only three attestations are required before a specification can become an official OASIS standard.
There are other signals as well that XACML is doing well. Many people and organizations seem interested enough that they want to start experimenting with it, and many more are seriously contemplating that.
And that makes sense to me (although I’m obviously biased). One reason is the impact that cloud computing is making, since XACML is perfect for use in the cloud. And adoption in cloud scenarios will become even easier with the REST and media types profiles that are currently being defined.
All in all, I have a feeling that a breakthrough is in the air.
If you’re interested in XACML yourself, and you live in or close by the Netherlands, then there is a good opportunity for you to learn more about how XACML is used in practice at the upcoming seminar in Utrecht on April 26. The program for this full day event is almost finalized and ranges from the abstract (how does XACML fit in a security architecture) to the very concrete (experience reports from real implementations) and everything in between, like a demonstration from XACML vendor Axiomatics. Two members of the XACML Technical Committee will be there, so seize this opportunity to ask all and any questions you may have! The presentations will be in English, but most presenters also speak Dutch. Follow this seminar on Twitter via #xacmlnl.
So, what do you think? Do you see more implementations around you? Do you have a feeling that you need to know more about this important access control standard? Let me know in the comments.