US Government launches login.gov and shares open source code

[Gabriel Cossette]

"[...] login.gov, a single sign-on solution for government websites that
will enable citizens to access public services across agencies with the
same username and password."

"[...] meets the design, performance, and experience people are used to
having when logging into their email or any top tech industry website.
Login.gov makes it easy and intuitive for users to choose a username and
password, and to set up multifactor authentication by using their phone
numbers or an authenticator application. Login.gov also allows agencies
to protect user’s personally identifiable information by going through
an identity proofing process where it verifies identities online. Once
this is done, they’ll be able to use the same login to access any
government site using the simplified login.gov interface."

https://18f.gsa.gov/2017/08/22/government-launches-login-gov/

--
Gabriel

[Karl Fogel]

That's huge. Although I'm sure it'll be rolled out slowly, and agencies like the IRS will be the last to adopt it (if ever), which is probably wise.

So fantastic that it's open source. https://github.com/18F/identity-idp, to save everyone some time :-).

Thanks for posting, Gabriel.

[Trevor Vaughan]

This is so almost awesome.

Looking at the components, it doesn't run with the native infrastructure provided by Common Criteria and FIPS 140-2 approved Operating Systems per FISMA.

I really do wish they would test on infrastructures that are on Government-wide baselines.

Maybe this will catch up at some point.

Trevor

--
You received this message because you are subscribed to the Google Groups "Government Open Source" group.
To unsubscribe from this group and stop receiving emails from it, send an email to government-open-source+unsub...@googlegroups.com.
To post to this group, send email to government-open-source@googlegroups.com.
Visit this group at https://groups.google.com/group/government-open-source.
For more options, visit https://groups.google.com/d/optout.

--

Trevor Vaughan
Vice President, Onyx Point, Inc

(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --

[Erie Meyer]

Trevor -- if you're up to open an issue, they would be super responsive!

To unsubscribe from this group and stop receiving emails from it, send an email to government-open-s...@googlegroups.com.
To post to this group, send email to government-...@googlegroups.com.

[Trevor Vaughan]

I'll try to get to it.

I've done it for about 3 different projects so far and haven't gotten any responses from 18F so it's getting harder to beat that drum.

I mean, at a bare minimum, they should be both writing and testing everything on systems that meet the 800-53 requirements. In this, I see instructions for both Mac and Debian (probably Ubuntu) systems, neither of which are Common Criteria certified (from what I can find).

Trevor

To unsubscribe from this group and stop receiving emails from it, send an email to government-open-source+unsubscri...@googlegroups.com.

To post to this group, send email to government-open-source@googlegroups.com.
Visit this group at https://groups.google.com/group/government-open-source.
For more options, visit https://groups.google.com/d/optout.

--

Trevor Vaughan
Vice President, Onyx Point, Inc

(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --

--
You received this message because you are subscribed to the Google Groups "Government Open Source" group.
To unsubscribe from this group and stop receiving emails from it, send an email to government-open-source+unsub...@googlegroups.com.
To post to this group, send email to government-open-source@googlegroups.com.
Visit this group at https://groups.google.com/group/government-open-source.
For more options, visit https://groups.google.com/d/optout.

[Eric Mill]

Yes, we use Ubuntu heavily in server environments that don't use cloud.gov (of which login.gov is one), and we tend to use Macs as development environments. We don't put heavy emphasis on Common Criteria certification when evaluating our environments.

Trevor, sorry you haven't been getting responses on issues you filed. They could be on some unmaintained repos (in particular, we're guilty of dropping off of the fisma-ready repositories), or folks could just be missing them for some reason. Feel free to link me to them (off-list if you want) and I'll take a look.

And in general, we have a public Slack channel open to anyone who wants to talk about open source with us or each other. It's not publicly indexed like this group, and I don't want to detract from the public conversation, but if you want to ping us about threads we're not responding to, or chat in real time directly, you can get an automatic Slack invite to our #opensource-public channel by going to https://chat.18f.gov and filling out the form.

-- Eric

konklone.com | @konklone

[Trevor Vaughan]

Ah, thanks for that!

I'll get into that channel and make a nuisance of myself over there.

--

konklone.com | @konklone

--
You received this message because you are subscribed to the Google Groups "Government Open Source" group.
To unsubscribe from this group and stop receiving emails from it, send an email to government-open-source+unsub...@googlegroups.com.
To post to this group, send email to government-open-source@googlegroups.com.
Visit this group at https://groups.google.com/group/government-open-source.
For more options, visit https://groups.google.com/d/optout.

--

[Trevor Vaughan]

Just out of curiosity, how do you expect the wider Government to use your software if it's not tested and suitable for FISMA compliant environments?

It's certainly fine for environments that process non-sensitive information but simply can't be used in environments that process sensitive information which would be...all of the important ones.

I'll move the conversation into Slack once I get the approval but I thought that the mailing list might be interested.

Trevor

On Thu, Aug 24, 2017 at 3:32 PM, Eric Mill <er...@konklone.com> wrote:

--

konklone.com | @konklone

--
You received this message because you are subscribed to the Google Groups "Government Open Source" group.
To unsubscribe from this group and stop receiving emails from it, send an email to government-open-source+unsub...@googlegroups.com.
To post to this group, send email to government-open-source@googlegroups.com.
Visit this group at https://groups.google.com/group/government-open-source.
For more options, visit https://groups.google.com/d/optout.

--

[Eric Mill]

Login.gov processes sensitive information, and ultimately what every agency chooses to authorize for those purposes, and how that agency meets the controls specified via FISMA, is up to them. 

You're totally correct that some agencies take a restrictive view of these things and as an internal policy matter don't allow the use of technologies outside of standard externally established criteria. However, while we're happy to make this an open source application (and consider this a necessary baseline for public review and for operating an effective public vulnerability disclosure program and bug bounty) we're optimizing more for our implementation and deployment of the software, and less so for the broadest possible federal reuse.

-- Eric

konklone.com | @konklone

[Trevor Vaughan]

Hmm...I've heard this argument a couple of times, but the policies don't seem to hold up to that argument that each Agency can waive the 800-53 and 800-171 controls that are mandated from the ground up.

The FIPS 140-2 requirement is stated as non-waiveable in FIPS-200 and the Common Criteria (ISO/IEC 15408) requirement is the only certification mentioned in either the 53 or 171.

Yes, all Agencies can make it *more* restrictive, but per FISMA, all Federal systems must meet these requirements at a minimum. So, if you want to get stronger than CC, game on and more power to you, but ignoring the certification status altogether doesn't appear to be valid per the blanket Federal policies.

Trevor

[Jim Correll]

Hey, first ever post! w00t!

I will say, this situation is frustrating.  I get that 18F is supposed to be the new hotness and all that.  And truly, you're doing great things in your space.  But, when you ignore standards and requirements that most other government agencies face, it just feels like a worthless endeavor. We're back to watching Silicon Valley create things we can never use, all over again.  This feels like one of those things.  It lands with a thud.  Please do keep up with the good work, but also please do pay greater attention to the requirements the rest of the government contracting industry must adhere to.  Otherwise, you're not making as great an impact as you'd like.

Cheers, Jim

via Newton Mail

To unsubscribe from this group and stop receiving emails from it, send an email to government-open-s...@googlegroups.com.
To post to this group, send email to government-...@googlegroups.com.

[Christopher Sean Morrison]

To throw a differing perspective into the mix, I still see this as potentially a good thing.  Requirements change.  If there is a broadly used system in de-facto use like what login.gov has the potential to become, that would be a strong motivator, whether to relax the requirements or become more compliant as a result of increased attention.  Either way, win.

I have seen variation of this work first hand.

Agency A is super restrictive on interpreting and applying controls on their in-house processing system.  Agency B is FAR less restrictive (possibly to a fault) on their processing system, but they open theirs up.  “A" has absolutely NO issue using “B"’s relaxed system with capabilities “A" explicitly prohibits.  When asked about the discrepancy, paraphrased:  "what they do is on them — don’t know how they got that approved, don’t care, it works great”.

Cheers!

Sean