XACML vs WS-Policy vs WS-Trust

Interesting post by Joseph Chiusano of Booz Allen Hamilton to the sunxacml-discuss mailing list discussing US Federal Government classification of standards and specifications. Key quote (my links):

XACML would be considered to be a “Voluntary Consensus Standard (VCS)” (aka an “open standard”) according to OMB Circular A-119[1], the authoritative federal mandate on this topic. WS-Policy and WS-Trust, however, would not be considered VCSs.

It is important to understand the difference between a standard and a specification – imho, standards are created in organizations (such as OASIS, W3C and Liberty) whose membership is open to all. Non-standard Specifications on the other hand, are created by consortia of vendors outside standards bodies such as the above. That’s not to denigrate their usefulness in any way, but the difference in process can be significant – open standards level the playing field; in contrast, you can never be sure whether a multi-lateral specification favours the members’ products. In fact, it would be somewhat irrational if it did not.

Firewalls’ False Sense of Security

Opinion piece in Computerworld by Jerrold M. Grochow, vice president for information services and technology at MIT, on the limitations of perimeter security and the importance of authorization – closing quote:

Firewalls can go only so far — at some point, you’ll have to develop a secure identity structure that’s incorporated into each and every application. And projects such as Kerberos, Shibboleth and Liberty will lead the way.

I would add SAML to that list, and note that SAML 2.0 incorporates functionality from both Liberty ID-FF and Shibboleth.