Publicizing XACML & ABAC

[David Brossard <david.brossard@axiomatics.com>]

Hi,

To follow up on today's call, here is what I have been doing to spread the good word on ABAC and XACML.

• Update the XACML wikipedia page: https://en.wikipedia.org/wiki/XACML
• Create the ALFA wikipedia page: https://en.wikipedia.org/wiki/ALFA_(XACML)
• Create the ABAC page (would you believe it, it did not exist until 2 years ago): https://en.wikipedia.org/wiki/Attribute-Based_Access_Control - you'll notice there are issues with the page that need fixing (trustworthiness)
• Link between OAuth and XACML
• Maintain the xacml tag on Stackoverflow (http://stackoverflow.com/questions/tagged/xacml)
• Speak at local IAM events e.g. OWASP

I've also been monitoring authorization-related questions on Stackoverflow as well as other Stack Exchange sites e.g. https://softwareengineering.stackexchange.com and https://security.stackexchange.com

There is still a long way to go. Most developers do not know how to implement authorization. At best they have heard of RBAC but often they'll try to implement it themselves rather than use a library.

There are a few things we could do:

1. Continue increasing the knowledge base on ABAC online (pretty much what I have been doing)
2. Collaborate with other entities e.g. OWASP, NIST, OASIS (the relevant TCs), other standards bodies e.g. SCIM, OAuth2... We could deliver a cheat sheet for OWASP.
3. Take part in another XACML interop? Be at another security conference?

What else?

Thanks,

David.