Monday, January 22, 2007
Authorization Management and Identity
I wonder if Pat Patterson, Doc Searls, Mark Dixon, Dick Hardt and Gunnar Peterson have read the wonderful blog posting on Authorization Management by noted industry analyst Gerry Gebel of the Burton Group?
Since Gerry asked are there other questions that come to mind, I figured I would list ones I have:
| | View blog reactionsSince Gerry asked are there other questions that come to mind, I figured I would list ones I have:
- To date, industry analysts have covered security specifications in terms of security products that implement them. I would like to start of by asking what would it take for Anne Thomas Manes and some of the other Burton Group leads to start asking every single vendor they interact with, when they plan on building into their product the XACML PEP specification? Of course, I would love for future Burton Group research to answer this question in writing in upcoming reports with the BPM, DRM, ERP, ESB and ECM domains up first.
- As you are aware, the SAML specification also supports a profile that integrates well with XACML yet no one product seems to want to implement it. Who will be the first vendor to demonstrate at least interoperability?
- Taking the above question one step further, do you believe that Sun will be a leader and first in the pack to implement, absolute dead last or just somewhere in the middle?
- Which community (OpenID or Cardspace) will go beyond support for basic identity and support relationships, authorization and attestation first?
- Do you think that Oracle's AAPML and CARML will be implemented by others? If so, what timeframes do you predict and who will be first?
- Do you think there is merit for the Liberty Alliance to address the authorization topic?
- How many Fortune 100 customers blogging in the blogosphere would it take to get Microsoft to implement XACML in their products?
- Do any of the authorization management vendors implement secure coding practices and use tools from either Fortify and/or Ounce Labs? Actually I would ask the same question of those in the OpenID community too.
- How should authorization management tools integrate with audit products such as LogLogic?