Anything data helps, even if impossible
Thanks and have a fun weekend
Js
Sent from my iPhone
-Guy
> --
> You received this message because you are subscribed to the "Military Open Source Software" Google Group.
> To post to this group, send email to mil...@googlegroups.com
> To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
>
> www.mil-oss.org
For ITAR wouldn't EVerify work for citizenship verification?
If anybody finds out more about this, and if it's available to Private
enterprise. I'd like to hear about it. BAH was in on our requirement a
few years ago and this never came up. :-/
On Fri, Feb 17, 2012 at 22:34, Joel Schuster <joel.s...@opsysinc.com> wrote:
> For ITAR wouldn't EVerify work for citizenship verification?
Is there a web service and has it expanded to Debarred Parties and
other checks? Would be an interesting general Government service but I
could see some kicking and screaming too. -Ali
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
www.mil-oss.org
g
If you are:
1. trying to comply with US export control laws's prohibition on exporting to counties on the United States Office of Foreign Assets Control (OFAC) sanction list...
2. but you only need a very *low* level of security...
Then take a peek at what SourceForge and Fedora do.
SourceForge.net by default blocks access from certain countries' IP addresses. Project leaders can change the "Export Control" setting if they believe access is okay for their project (taking responsibility for it). More info here:
http://sourceforge.net/blog/some-good-news-sourceforge-removes-blanket-blocking/
http://sourceforge.net/blog/clarifying-sourceforgenets-denial-of-site-access-for-certain-persons-in-accordance-with-us-law/
http://fedoraproject.org/wiki/Legal:Export_Control_SOP
http://fedoraproject.org/wiki/Legal:Export
Obviously blocking source IP addresses doesn't *really* prevent access. If information is available to the public in the US, someone could just remotely log into a system in the US and access it. If you think the law hasn't kept up with the times... well, let's just say you're not the first to say that :-). But if the point is to stay within the law, it appears to work. At least, organizations with lawyers are doing it and staying out of jail :-).
That won't help if you're *seriously* trying to prevent access, though.
BTW, Brett Smith (Licensing Compliance Engineer, Free Software Foundation) had some interesting comments on the GPL and export control recorded here (and it might be useful): <http://fedoraproject.org/wiki/FreeSoftwareAnalysis/FSF>.
=== QUOTE ===
On Sat, Aug 11, 2007 at 01:14:53AM +0530, Rahul Sundaram wrote:
> > Fedora as a distribution is affected by export control regulations as
> > any software subjected to US laws from the legal perspective.
> >
> > http://fedoraproject.org/wiki/Distribution/Download/ExportRegulations
> >
> > Clause 8 in GPL mentions that such regulations are compatible with the
> > license but can you confirm FSF's viewpoints on this?
Section 8 of GPLv2 doesn't make the sort of sweeping policy statement
you're suggesting here. You'll note that we took this clause out of GPLv3
-- but you're not suddenly going to get into export restriction trouble
because of it.
The question to ask is: what requirement of the GPL does the law prevent
you from fulfilling? When it comes to export restrictions, the answer is
none. If you comply with local export restrictions, you will not run afoul
of any requirements in the GPL. Therefore, there's no conflict.
Export restrictions limit who you can give the software to. The GPL has no
problem with you being picky about who you give the software to: if you
want, you can decide that you'll only distribute to paying customers, or
people with blue hair. So the fact that you also decide not to distribute
to Iranians and Syrians is no problem as far as the license is concerned.
Best regards,
-- Brett Smith Licensing Compliance Engineer, Free Software Foundation
=== END QUOTE ===
--- David A. Wheeler
Indeed. There was a project here to develop an attribute based access control system for determining access to data. The DMDC ( HYPERLINK "http://www.dmdc.osd.mil" www.dmdc.osd.mil) maintains the database of CAC holders and is the authoritative source of DoD personnel data. After signing an MOA we were allowed to query their data, as they have web services to look up personnel by EDIPI (think CAC unique ID). The data varies but has clearance info, name, email, DoD component, citizenship, etc..., which is more than enough to determine if they have access to certain data. The software forge.mil page which used to have this information during the development phase is here: <https://software.forge.mil/sf/sfmain/do/viewProject/projects.nsldss> the new site related to the program of record should be here: <https://project.forge.mil/sf/projects/nces>. This is a link to the customer integration document that provides good data and examples: <https://project.forge.mil/sf/go/doc38821?nav=1> (you may need to join the project first).
Since external services weren't allowed to query DMDC themselves we set up a service to query "policies" that were set up. So for example, on NIPR and SIPR, there is a policy that requires that users have a secret clearance and be a US citizen. Anyone can ask the service whether the user (by EDIPI) has access to the us-secret policy using web services. The service queries and caches DMDC and figures out if the user has a secret clearance and a US citizenship. If so, the service returns a permit, otherwise a deny, or if the service doesn't know it returns a not applicable.
It is XACML, although I don't know the version. The SOAP request uses SAML to assert the user's distinguished name. The SOAP endpoint for the policy service is <https://cpdp.ces.mil/pdp/SOAPServlet (or add a .smil.mil)>. Sorry, I don't have the WSDL address but it should be in the documentation in the above project.forge NCES site. There are example SOAP requests in the document above, or I can send you a guaranteed working one.
My google foo says ITAR is restricted to US persons, so that should be easy. There's already XACML policies set up for that. Keep in mind that DMDC only has CAC registered personnel so federal or foreign national data is hit or miss right now. I believe there are a couple think tanks trying to figure out that issue right now.
I wrote a quick mash-up so that you can see what the result would be using your own certificate here:
<https://strategicwatch.ces.mil/presto/edge/api/rest/GetCPDPpermissions/invoke?x-presto-resultFormat=xml&InformationDomain=us-secret&Action=read>
Oh, and almost every https link above is 2-way, so you'll need a DoD cert to access. ECA certs may work, but seems to be hit or miss depending on if the site trusts the whole suite of FBCA certs. As for scaling of 10K users, you'll have to talk to the maintainers. Their contact info is in the document above, or I can send it to you if you'd like.
Hope this helps,
-ben
-----Original Message-----
From: HYPERLINK "mailto:mil...@googlegroups.com" mil...@googlegroups.com [mailto:mil...@googlegroups.com] On Behalf Of Will LaForest
Sent: Friday, February 17, 2012 10:16 PM
To: HYPERLINK "mailto:mil...@googlegroups.com" mil...@googlegroups.com
Subject: Re: [mil-oss] Itar question
On the NSLDSS project at DISA we used a set of security services developed by Booz Allen for ABAC security. The suite included an Attribute Store, XACML Policy Store, and a PDP. These are currently alive and running somewhere (I think San Antonio) but you can also get the reference implementation on Forge.mil as well. I would dig up the link for you but my account is no longer active. Ben Congdon, who is a member of this group, can no doubt provide links and more information if your interested.
--
Will LaForest
Senior Director of 10gen Federal
10gen, The MongoDB Company
Office 202-656-7651
Mobile 571-230-6778
@WLaForest
On Feb 17, 2012, at 5:40 PM, John Scott III wrote:
Hi all, I am looking for a way to (as a web service) to verify an individuals identify so that they can have access to itar controlled material
Are there any services out there that do this at scale? 10k people or more
Anything data helps, even if impossible
Thanks and have a fun weekend
Js
Sent from my iPhone
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to HYPERLINK "mailto:mil...@googlegroups.com" mil...@googlegroups.com
To unsubscribe from this group, send email to HYPERLINK "mailto:mil-oss+u...@googlegroups.com" mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
HYPERLINK "http://www.mil-oss.org" www.mil-oss.org
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to HYPERLINK "mailto:mil...@googlegroups.com" mil...@googlegroups.com
To unsubscribe from this group, send email to HYPERLINK "mailto:mil-oss+u...@googlegroups.com" mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
HYPERLINK "http://www.mil-oss.org" www.mil-oss.org
Classification: UNCLASSIFIED
Caveats: NONE
I have to ask because I want to know if I'm being unreasonably
throttled by Legal and PM. I've been told over and over again for
years that the debarred parties list must be consulted as well. US
Citizens are on that list who have violations, suspect relations, etc.
And that's been a big hang-up and additional manual check. The CAC /
DoD cert system has that covered - not sure about the rest.
Regardless, is anybody else getting pushback to check against the
debarred parties list? -Ali
> --
> You received this message because you are subscribed to the "Military Open Source Software" Google Group.
> To post to this group, send email to mil...@googlegroups.com
> To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
>
-----------------------------------------------------------
John Scott
240.401.6574
< jms...@gmail.com >
http://powdermonkey.blogs.com
@johnmscott
Have you joined MIL-OSS?:
http://groups.google.com/group/mil-oss
http://mil-oss.org/
http://www.bis.doc.gov/dpl/default.shtm
http://www.pmddtc.state.gov/compliance/debar.html
Cheers, -Ali
While this is an uneducated guess, I would guess that those personnel do not have valid DoD or ECA certs. I would hope that if they did, they were revoked shortly after the incident. Most of them aren't even in the U.S.
-ben
The lists, specifically, are:
http://www.bis.doc.gov/dpl/default.shtm
http://www.pmddtc.state.gov/compliance/debar.html
Cheers, -Ali
Classification: UNCLASSIFIED
Caveats: NONE
Also, just to clarify, having a CAC ECA cert does not mean that the person is a US citizen. I know that ITAR restricted projects on forge.mil have to implement tighter controls due to this issue.