Security and Transparency Subcommittee (STS) Conference Call *
January 23, 2007


1) Administrative Updates
2) Discussion of software independence on Access Control and System Event Logging requirements
3) Discussion of security related topics for other subcommittees
4) Discussion of innovation class - overview, high level requirements
5) Other Items
6) Next call Tuesday, February 6, 2007 at 10:30AM.

Participants: Alan Goldfine, Alicia Clay, Allan Eustis, Angela Orbaugh, Anoop Singhal, Barbara Guttman, Bill Burr, David Wagner, Donetta Davidson, John Kelsey, Nelson Hastings, Patrick Gannon, Ron Rivest, Santosh Chokhani, Sharon Laskowski, Wendy Havens

Administrative Updates (Allan Eustis):

  • Board of Advisors Meeting today (1/24/07) – John Wack is giving a presentation on the status of the VVSG – similar to the presentation given at the Election Center last week. A panel discussion will take place after his presentation – this panel consists of several TGDC members and will be looking at usability and accessibility issues.
  • Last week NIST/NVLAP recommended to EAC two initial labs that were compliant with our ISO standard (17025) – iBeta and SysTest. The reports have been posted on the web. Allan has since received calls from two additional labs interested in applying.
  • Allan also posted some state regulations regarding DRE audit procedures.

Software Independence (SI) Impact on Access Control and System Event Logging Requirements:

The chapters on Access Control and System Event Logging were forwarded around to STS members. The access control document was presented (in substantially the current version) at the March 2006 TGDC meeting, edited, and put in final VVSG 07 format. The event logging document has received NIST review, it needs to be reviewed by STS and TGDC.

Due to software independence, do the chapters need to have more or less requirements? Are there general guidance/broad principles that we should be using to decide whether to add/remove requirements due to the new software independence material? Answer by David Wagner and Ron Rivest is that we should still be using the cost/benefit trade-off review. When you remove or add a requirement based on impact from SI, make a note of it.

Much of the discussion relating to this agenda item centered on requirements that would require software versus hardware changes. Access control requirements recommend multi factor access control that may need something soldered to the mother board requiring a hardware upgrade. Logging event requirements may require hardware upgrades that allow for writing to “write-once” media. David Wagner and others expressed desire for compliance be possible with only software upgrades. Donetta Davidson stated that it should be made clear whether the new requirements would make it necessary for hardware to be retrofitted or upgraded. This would help TGDC and EAC when considering these recommendations. John Kelsey is concerned that it will be hard to determine what kind of effects the requirements are going to have on systems. Without a survey, we are not going to know how many machines are affected. ACTION: Allan Eustis and Nelson Hastings will discuss bringing this up at the next vendor meeting.

The event logging discussion centered on the importance of keeping these logs. Are they being used? It was suggested that a requirement should be written that logs are forwarded to a central location, transmitted with the voting records. A system must have the capability so that everything can be pulled off the system at once – ballots, event logging, etc. An inquiry was made whether there was a standard format for the logs. It was agreed that the requirement should be that the logs are in standard format or a utility provided to convert them to a standard format. There must also be a requirement saying that confidentiality must be protected when event logs are generated. The logs will be useful for finding problems with the system, e.g., shutdown or logout during use, software upgrades, administrator account access, etc. Further comments are requested by next week.

ACTION: STS subcommittee should review both the access control document and the event logging document and provide comments to the STS mailing list. The access control document will be considered ready for TGDC review, the event logging document will be brought up at a future STS subcommittee meeting.

Discussion of Security Related Topics for Other Subcommittees:

  • COTS and the impact of software independence on COTS. (see Flater's presentation:

  • Reliability issues with respect to paper records and the reliability of printers. This should be moved to CRT. Nelson will discuss with D. Flater/A. Goldfine.

  • Interoperability issues – primarily an export format for cast ballot records. CRT should have the lead, but STS should be involved in to make sure auditing is possible. STS will provide high level requirements to CRT.

  • Chain of custody procedures related to electronic records. STS will have the lead but will ask CRT for comments.

  • Usability and accessibility of paper, including bar coding, etc. for the blind. (This is our biggest crossover issue.) Nelson and Sharon will schedule a joint STS/HFP meeting. Framework of issues will be provided via email before meeting.

  • Usability issues with printers and audit mechanisms. Transfer to HFP. STS will prep HFP on the issues. Consideration on how we deal with auditing records of accessible systems.

  • Possible discussion with CRT: OEVT and software distribution.

Discussion of Innovation Class:

Two parts to the requirements we need to write. First, generic requirements that specify what the voting system has to do. (Do we write new requirements or identify requirements we already have? These are requirements that transcend the architecture no matter what the architecture is.) Second, we need to write setup procedures that identify the evaluation process. This innovation class evaluation procedure needs to be ready when the vendor has a new system. We have to allow for conceptual systems to be reviewed before huge investments are made. The review process might be in two stages. Stage 1, the vendor would provide a detailed description of the system they would like to build with justifications. Stage 2 would be a regular full review with the panel of experts and VSTL review.

The question was asked if this panel would be EAC-run and if so we need to provide a white paper outlining TGDC recommendations and allow for public comment.

ACTION: Prepare white paper with details outlining plausible way to organize panel, plausible timeframes, effort levels and scope of responsibilities. Criteria for recommending one way or the other should be provided. Rene Peralta will be contacting Ron Rivest offline regarding this issue. The process can evolve over time.

Next STS teleconference is Tuesday, February 6, 2007, at 10:30 a.m.

[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference discussion served the purposes of the STS subcommittee of the TGDC to direct NIST and coordinate its voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]

Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department