Itar question

149 views
Skip to first unread message

John Scott III

unread,
Feb 17, 2012, 5:40:05 PM2/17/12
to miloss
Hi all, I am looking for a way to (as a web service) to verify an individuals identify so that they can have access to itar controlled material
Are there any services out there that do this at scale? 10k people or more

Anything data helps, even if impossible

Thanks and have a fun weekend
Js

Sent from my iPhone

Guy Martin

unread,
Feb 17, 2012, 5:42:35 PM2/17/12
to mil...@googlegroups.com
When we were trying to solve this problem for Forge.mil, we were told to
work with the DTIC folks to build a web-service for this. However, I
believe they backed away from actually developing it.

-Guy

Ali-Reza Anghaie

unread,
Feb 17, 2012, 5:44:10 PM2/17/12
to mil...@googlegroups.com
There was a project within two DoD contracting firms that were hoping
to basically outsource identity verification to a CA for their
customer portals and then use that CAs OpenID services to enable such
checking. However, as a generally available service I'm unaware of
one. You can ping me out of band if you want the background I have -
it wasn't successful though (for Legal reasons as much as technical).
-Ali

> --
> You received this message because you are subscribed to the "Military Open Source Software"  Google Group.
> To post to this group, send email to mil...@googlegroups.com
> To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
>
> www.mil-oss.org

Will LaForest

unread,
Feb 17, 2012, 10:16:08 PM2/17/12
to mil...@googlegroups.com
On the NSLDSS project at DISA we used a set of security services developed by Booz Allen for ABAC security.  The suite included an Attribute Store, XACML Policy Store, and a PDP.  These are currently alive and running somewhere (I think San Antonio) but you can also get the reference implementation on Forge.mil as well.  I would dig up the link for you but my account is no longer active.  Ben Congdon, who is a member of this group, can no doubt provide links and more information if your interested.

--

Will LaForest
Senior Director of 10gen Federal
10gen, The MongoDB Company
Office 202-656-7651
Mobile 571-230-6778 
@WLaForest



Joel Schuster

unread,
Feb 17, 2012, 10:34:40 PM2/17/12
to mil...@googlegroups.com

For ITAR wouldn't EVerify work for citizenship verification?

Ali-Reza Anghaie

unread,
Feb 18, 2012, 4:03:16 AM2/18/12
to mil...@googlegroups.com
On Fri, Feb 17, 2012 at 22:16, Will LaForest <wi...@10gen.com> wrote:
> On the NSLDSS project at DISA we used a set of security services developed
> by Booz Allen for ABAC security.  The suite included an Attribute Store,
> XACML Policy Store, and a PDP.  These are currently alive and running
> somewhere (I think San Antonio) but you can also get the reference
> implementation on Forge.mil as well.  I would dig up the link for you but my
> account is no longer active.  Ben Congdon, who is a member of this group,
> can no doubt provide links and more information if your interested.

If anybody finds out more about this, and if it's available to Private
enterprise. I'd like to hear about it. BAH was in on our requirement a
few years ago and this never came up. :-/

On Fri, Feb 17, 2012 at 22:34, Joel Schuster <joel.s...@opsysinc.com> wrote:
> For ITAR wouldn't EVerify work for citizenship verification?

Is there a web service and has it expanded to Debarred Parties and
other checks? Would be an interesting general Government service but I
could see some kicking and screaming too. -Ali

Brad Cox

unread,
Feb 18, 2012, 7:42:45 AM2/18/12
to mil...@googlegroups.com
Strange. Technica built a suite of the very same capabilities for DISA (Attribute Store and ABAC PDP) and released it to forge.mil about a year ago. That might be suitable. It uses an OASIS-compliant XACML 2.0 compiler I developed to turn policies into Java, with compilation supported prior-to or during PDP execution time. Much faster than Sun's XACML interpreter; about 1200 messages/sec if SAML signing isn't enabled which slows things down considerably.

The project name is GOSAC-N if anyone's interested. If the version you find there is about a year old, check back in a day or too. I don't have a CAC and am not sure if the new release made it through yet.

--
You received this message because you are subscribed to the "Military Open Source Software"  Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

www.mil-oss.org

Brad Cox

unread,
Feb 18, 2012, 7:47:55 AM2/18/12
to mil...@googlegroups.com
If anybody's interested in moving to XACML 3.0, we also have an XACML 3.0 compiler that's compatible with the PDP on forge.mil. That's proprietary and not on forge.mil. There's also a AFCEA paper about XACML compilation at http://bradjcox.blogspot.com.

John Scott III

unread,
Feb 18, 2012, 11:45:04 AM2/18/12
to mil...@googlegroups.com, mil...@googlegroups.com
Only allowed for employment 

Sent from my iPhone

Kimberly Holladay

unread,
Feb 18, 2012, 3:38:58 PM2/18/12
to mil...@googlegroups.com
All~

I am fairly new to the group, but I did want to pipe in on the subject of ABAC security.  I am currently supporting the DCGS Enterprise and my team is focused on driving the community toward alignment to open standards and specifications for the purposes of interoperability and reuse.  A core piece of this is ABAC security.  We have two open source prototypes that have been in development to vet that the standards are solid and implementable and that different implementations can be interoperable.  One of these prototypes was based on the work done on NSLDSS and the other leveraged another set of open source tools.  The latter (Bravo) prototype, plays a large role in an OUSD(I)-sponsored Collaborative Enterprise Environment-West  (CEE-West) initiative...an open community environment intended to enable folks (industry and government) to bring forward/expose capabilities and drive toward alignment to community standards.  

I thought I would mention this as it is relevant to the ABAC security discussion.  Both of these prototypes are are currently on Forge.mil though there are still some access discussions ongoing.  Happy to provide additional info if it can help in any way.  

Kimberly Holladay

Gunnar Hellekson

unread,
Feb 19, 2012, 3:13:06 PM2/19/12
to mil...@googlegroups.com
That's really interesting -- can you tell us more about the this CEE-West thing?

g

Wheeler, David A

unread,
Feb 21, 2012, 11:30:26 AM2/21/12
to mil...@googlegroups.com
John Scott:

> Hi all, I am looking for a way to (as a web service) to verify an
> individuals identify so that they can have access to itar controlled
> material > Are there any services out there that do this at scale? 10k people or
> more

If you are:
1. trying to comply with US export control laws's prohibition on exporting to counties on the United States Office of Foreign Assets Control (OFAC) sanction list...
2. but you only need a very *low* level of security...
Then take a peek at what SourceForge and Fedora do.

SourceForge.net by default blocks access from certain countries' IP addresses. Project leaders can change the "Export Control" setting if they believe access is okay for their project (taking responsibility for it). More info here:
http://sourceforge.net/blog/some-good-news-sourceforge-removes-blanket-blocking/
http://sourceforge.net/blog/clarifying-sourceforgenets-denial-of-site-access-for-certain-persons-in-accordance-with-us-law/


http://fedoraproject.org/wiki/Legal:Export_Control_SOP
http://fedoraproject.org/wiki/Legal:Export

Obviously blocking source IP addresses doesn't *really* prevent access. If information is available to the public in the US, someone could just remotely log into a system in the US and access it. If you think the law hasn't kept up with the times... well, let's just say you're not the first to say that :-). But if the point is to stay within the law, it appears to work. At least, organizations with lawyers are doing it and staying out of jail :-).

That won't help if you're *seriously* trying to prevent access, though.


BTW, Brett Smith (Licensing Compliance Engineer, Free Software Foundation) had some interesting comments on the GPL and export control recorded here (and it might be useful): <http://fedoraproject.org/wiki/FreeSoftwareAnalysis/FSF>.


=== QUOTE ===

On Sat, Aug 11, 2007 at 01:14:53AM +0530, Rahul Sundaram wrote:

> > Fedora as a distribution is affected by export control regulations as
> > any software subjected to US laws from the legal perspective.
> >
> > http://fedoraproject.org/wiki/Distribution/Download/ExportRegulations
> >
> > Clause 8 in GPL mentions that such regulations are compatible with the
> > license but can you confirm FSF's viewpoints on this?

Section 8 of GPLv2 doesn't make the sort of sweeping policy statement
you're suggesting here. You'll note that we took this clause out of GPLv3
-- but you're not suddenly going to get into export restriction trouble
because of it.

The question to ask is: what requirement of the GPL does the law prevent
you from fulfilling? When it comes to export restrictions, the answer is
none. If you comply with local export restrictions, you will not run afoul
of any requirements in the GPL. Therefore, there's no conflict.

Export restrictions limit who you can give the software to. The GPL has no
problem with you being picky about who you give the software to: if you
want, you can decide that you'll only distribute to paying customers, or
people with blue hair. So the fact that you also decide not to distribute
to Iranians and Syrians is no problem as far as the license is concerned.

Best regards,
-- Brett Smith Licensing Compliance Engineer, Free Software Foundation
=== END QUOTE ===

--- David A. Wheeler

Congdon, Benjamin E CIV DISA CTO

unread,
Feb 21, 2012, 6:55:44 PM2/21/12
to mil...@googlegroups.com
Classification: UNCLASSIFIED
Caveats: NONE


Indeed. There was a project here to develop an attribute based access control system for determining access to data. The DMDC ( HYPERLINK "http://www.dmdc.osd.mil" www.dmdc.osd.mil) maintains the database of CAC holders and is the authoritative source of DoD personnel data. After signing an MOA we were allowed to query their data, as they have web services to look up personnel by EDIPI (think CAC unique ID). The data varies but has clearance info, name, email, DoD component, citizenship, etc..., which is more than enough to determine if they have access to certain data. The software forge.mil page which used to have this information during the development phase is here: <https://software.forge.mil/sf/sfmain/do/viewProject/projects.nsldss> the new site related to the program of record should be here: <https://project.forge.mil/sf/projects/nces>. This is a link to the customer integration document that provides good data and examples: <https://project.forge.mil/sf/go/doc38821?nav=1> (you may need to join the project first).

Since external services weren't allowed to query DMDC themselves we set up a service to query "policies" that were set up. So for example, on NIPR and SIPR, there is a policy that requires that users have a secret clearance and be a US citizen. Anyone can ask the service whether the user (by EDIPI) has access to the us-secret policy using web services. The service queries and caches DMDC and figures out if the user has a secret clearance and a US citizenship. If so, the service returns a permit, otherwise a deny, or if the service doesn't know it returns a not applicable.

It is XACML, although I don't know the version. The SOAP request uses SAML to assert the user's distinguished name. The SOAP endpoint for the policy service is <https://cpdp.ces.mil/pdp/SOAPServlet (or add a .smil.mil)>. Sorry, I don't have the WSDL address but it should be in the documentation in the above project.forge NCES site. There are example SOAP requests in the document above, or I can send you a guaranteed working one.

My google foo says ITAR is restricted to US persons, so that should be easy. There's already XACML policies set up for that. Keep in mind that DMDC only has CAC registered personnel so federal or foreign national data is hit or miss right now. I believe there are a couple think tanks trying to figure out that issue right now.

I wrote a quick mash-up so that you can see what the result would be using your own certificate here:
<https://strategicwatch.ces.mil/presto/edge/api/rest/GetCPDPpermissions/invoke?x-presto-resultFormat=xml&InformationDomain=us-secret&Action=read>

Oh, and almost every https link above is 2-way, so you'll need a DoD cert to access. ECA certs may work, but seems to be hit or miss depending on if the site trusts the whole suite of FBCA certs. As for scaling of 10K users, you'll have to talk to the maintainers. Their contact info is in the document above, or I can send it to you if you'd like.

Hope this helps,

-ben


-----Original Message-----
From: HYPERLINK "mailto:mil...@googlegroups.com" mil...@googlegroups.com [mailto:mil...@googlegroups.com] On Behalf Of Will LaForest
Sent: Friday, February 17, 2012 10:16 PM
To: HYPERLINK "mailto:mil...@googlegroups.com" mil...@googlegroups.com
Subject: Re: [mil-oss] Itar question

On the NSLDSS project at DISA we used a set of security services developed by Booz Allen for ABAC security. The suite included an Attribute Store, XACML Policy Store, and a PDP. These are currently alive and running somewhere (I think San Antonio) but you can also get the reference implementation on Forge.mil as well. I would dig up the link for you but my account is no longer active. Ben Congdon, who is a member of this group, can no doubt provide links and more information if your interested.

--

Will LaForest
Senior Director of 10gen Federal
10gen, The MongoDB Company
Office 202-656-7651
Mobile 571-230-6778
@WLaForest

On Feb 17, 2012, at 5:40 PM, John Scott III wrote:


Hi all, I am looking for a way to (as a web service) to verify an individuals identify so that they can have access to itar controlled material
Are there any services out there that do this at scale? 10k people or more

Anything data helps, even if impossible

Thanks and have a fun weekend
Js

Sent from my iPhone

--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.

To post to this group, send email to HYPERLINK "mailto:mil...@googlegroups.com" mil...@googlegroups.com
To unsubscribe from this group, send email to HYPERLINK "mailto:mil-oss+u...@googlegroups.com" mil-oss+u...@googlegroups.com


For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

HYPERLINK "http://www.mil-oss.org" www.mil-oss.org


--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.

To post to this group, send email to HYPERLINK "mailto:mil...@googlegroups.com" mil...@googlegroups.com
To unsubscribe from this group, send email to HYPERLINK "mailto:mil-oss+u...@googlegroups.com" mil-oss+u...@googlegroups.com


For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

HYPERLINK "http://www.mil-oss.org" www.mil-oss.org

Classification: UNCLASSIFIED
Caveats: NONE


Ali-Reza Anghaie

unread,
Feb 21, 2012, 7:04:08 PM2/21/12
to mil...@googlegroups.com
On Tue, Feb 21, 2012 at 18:55, Congdon, Benjamin E CIV DISA CTO
<Benjamin...@disa.mil> wrote:
> My google foo says ITAR is restricted to US persons, so that should be easy.  There's already XACML policies set up for that.  Keep in mind that DMDC only has CAC registered personnel so federal or foreign national data is hit or miss right now.  I believe there are a couple think tanks trying to figure out that issue right now.

I have to ask because I want to know if I'm being unreasonably
throttled by Legal and PM. I've been told over and over again for
years that the debarred parties list must be consulted as well. US
Citizens are on that list who have violations, suspect relations, etc.
And that's been a big hang-up and additional manual check. The CAC /
DoD cert system has that covered - not sure about the rest.

Regardless, is anybody else getting pushback to check against the
debarred parties list? -Ali

John Scott III

unread,
Feb 21, 2012, 8:24:37 PM2/21/12
to mil...@googlegroups.com
wow, I guess if you have leaked, lost, stolen, etc. ITAR info then you would probably be barred from access said material. I've never heard of a black list, but who knows

> --
> You received this message because you are subscribed to the "Military Open Source Software" Google Group.

> To post to this group, send email to mil...@googlegroups.com
> To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com


> For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
>

> www.mil-oss.org

-----------------------------------------------------------
John Scott
240.401.6574
< jms...@gmail.com >
http://powdermonkey.blogs.com
@johnmscott

Have you joined MIL-OSS?:
http://groups.google.com/group/mil-oss
http://mil-oss.org/

Ali-Reza Anghaie

unread,
Feb 21, 2012, 9:32:03 PM2/21/12
to mil...@googlegroups.com

Congdon, Benjamin E CIV DISA CTO

unread,
Feb 23, 2012, 9:57:55 AM2/23/12
to mil...@googlegroups.com
Classification: UNCLASSIFIED
Caveats: NONE

While this is an uneducated guess, I would guess that those personnel do not have valid DoD or ECA certs. I would hope that if they did, they were revoked shortly after the incident. Most of them aren't even in the U.S.

-ben

The lists, specifically, are:

http://www.bis.doc.gov/dpl/default.shtm
http://www.pmddtc.state.gov/compliance/debar.html

Cheers, -Ali

www.mil-oss.org

Classification: UNCLASSIFIED
Caveats: NONE


Ingold, Thomas [USA]

unread,
Feb 23, 2012, 10:56:37 AM2/23/12
to mil...@googlegroups.com
Also, just to clarify, having a CAC ECA cert does not mean that the person is a US citizen. I know that ITAR restricted projects on forge.mil have to implement tighter controls due to this issue.

Chuck Atkins

unread,
Mar 6, 2012, 12:00:05 PM3/6/12
to mil...@googlegroups.com
On Thu, Feb 23, 2012 at 10:56 AM, Ingold, Thomas [USA] <Ingold...@bah.com> wrote:
Also, just to clarify, having a CAC ECA cert does not mean that the person is a US citizen.   I know that ITAR restricted projects on forge.mil have to implement tighter controls due to this issue.


As a Foreign National you can still get an ECA certificate.  It's simply signed by a different CA.  Access to ITAR material, however, is not restricted to US Citizens but instead US Persons.  This includes both U.S. Citizens as well as Permanent Residents (i.e. green card holders) but NOT Foreign Nationals.  This is a case we deal with regularly as we do a fair amount of science R&D, much of it on data that is ITAR restricted.  We can have all of our researchers that are either U.S. Citizens or Permanent Residents work with this data.  However, all of our researchers that are only Foreign Nationals must work on either different data or different projects.

The distinction between U.S. Citizen and U.S. Person is often confused and quite frankly outright ignored sometimes.  When dealing with security classification, I've received guidance from various FSOs that essentailly treated everybody as either U.S. Citizen or "Other", when in reality, the specifics are such that some rules specify U.S. Citizens for some things but U.S. Persons for others, and yet other rules have different criteria entirely.  I suspect this is the tendency of security folks to "err on the side of caution".  Thankfully though, ITAR rules are a bit less murky (not much though) (also completely orthogonal to security classification).

Reply all
Reply to author
Forward
0 new messages