Security and Transparency Subcommittee (STS) Teleconference*
Tuesday, February 20, 2007, 10:30 a.m.


1. Administrative Update
2. Review of the joint STS-HFP call (minutes of call can be found at
3. Update on comments received on access control and system event logging sections
4. Update on modifications to setup validation section
5. Other Items
6. Next joint HFP/STS call Friday February 23, 2007, 11 am.

Next STS call Tuesday, March 6, 2007, 10:30 a.m.

Participants: Allan Eustis, Angela Orbaugh, Barbara Guttman, Bill Burr, David Flater, Helen Purcell, John Wack, Mat Masterson (EAC), Nelson Hastings, Patrick Gannon, Rene Peralta, Ron Rivest, Santosh Chokani, Sharon Laskowski, Steve Berger, Wendy Havens

Administrative Updates (Allan Eustis):

  • John Wack and Allan will be putting together a formal agenda this week for the March 22-23 meeting. Each subcommittee should have approximately 3 hours on the agenda.
  • There will be two workbooks distributed for this plenary meeting, one of which will contain the latest draft of the next iteration of the VVSG. It will also be posted on the website before the meeting.
  • Welcome to Mat Masterson from EAC. Mat will be the liaison between EAC and the TGDC subcommittees, keeping the lines of communication open.

Review of Joint STS-HFP Teleconference

At the joint HFP/STS meeting, two topics were on the agenda: First, software independence and accessibility for the voter and second, software independence and its implications on the usability of audits. As an action item from discussion of the first topic, John Cugini is working on a paper outlining some methods to be discussed on 2/23. One key issue to keep in mind is the notion of SI and accessibility in understanding all the ramifications and complexities when reviewing voter verification. John Wack expressed concerns that the machines used for voter verification would not be the same for both sighted and unsighted voters. Discussion ensued on "separate but equal" access or more appropriately "sufficient" access. Discussion has not occurred regarding implementation details regarding usability. The significance of auditability to security needs to be stressed - a proposal to toss auditability was a non-starter. The next joint STS/HFP meeting is 2/23/07 at 11:00 a.m.

Update on Comments Received on Access Control and System Event Logging Sections

All comments that were received last week have been reviewed. Some changes have been made, such as the comments regarding improving requirements with the wording "shall be capable of" have been corrected. Subcommittee is currently reviewing comments about items that should be in other sections. Three specific questions were discussed:

  • Should voting systems have administrator login and different accounts on the system? The system must have some kind of root capability, which must be tightly controlled. Access control policy would be role and identity based.
  • Should the access control policy be fixed or can you customize it to allow more privileges and change roles? Ron Rivest felt it should be fixed, but noted that there was a possibility that state law may require flexibility. Nelson had suggested writing minimum requirements regarding roles and not mentioning customization. There was discussion about whether or not this would work. Nelson will redo this section.
  • Should voting machines store logs from previous elections? This comes from requirements regarding managing logs and rolling off (deleting) logs when the storage gets full. States require capability to keep previous election records (paper) for 22 months. Is the data copied or erased? (Machines in Arizona are erased after elections. Back up records are kept.) Good model is dumping data onto once writable CDs. Is there a requirement for writeable media in the voting system?

Update on Modifications to Setup Validation Section

All changes discussed at the last STS conference call were made for the section on software identification and software verification. One of the changes was limiting the scope of software requirements to election management systems. Discussion ensued about the scope of set up requirements on networked devices. This had been brought up originally by David Wagner because of a concern with viruses. Nelson has extended the scope in the paper to include not only the verification but the identification part as well. Consensus was reached that identification needs to be universal. Discussion continued about which pieces needed strong verification. Election management systems. The requirement regarding Network Vote Capture Devices will be changed to Vote Capture Devices and written with a "should", with the recommendation that this will become a "shall". A note will be added in the Discussion section annotating this.

Nelson then clarified what had been deleted. Correct behavior of the verification software requirement, external port requirement, chain of custody requirement, robustness of the verification technique, and sourcing of the verification hardware and software from parties other than the vendor were removed. The digital signature-centric language was modified. Barbara asked for a clarification about the impacts of the changes. These changes are all related to the requirements on the verification technique that was used. It was generalized to say that a technique had to be used, but it did not get specific. A clarification was then asked regarding what requirements were written to make sure a technique was good. Nelson will send out an email clarifying - the requirement needs to be strong but flexible.

Exchange Standards for Election Data (David Flater)

This subject is being brought up because STS was interested in looking at possibility of representing cast vote records and possibly other things in a standard export format. CRT's testing requirements are more broad than what's needed by STS. EDX cannot be used because it is the intellectual property of Hart. The current version of EML has a lot of issues - too many for testing as required by CRT. They are currently working on a new version but not sure if that will be ready in time for VVSG 07. One issue that will not be resolved in the next iteration is the conceptual distinction between a vote tally and a ballot count. John Wack feels that we will not be able to point to a specific standard by draft time. EML V5 may not be out in time to be referenced. Ron Rivest suggested that we put a placeholder in that states "cast vote records will be in a plausible open format, meeting the following requirements, etc." with the understanding that it could be replaced when EML V5 or V6 come out. STS needs to specify a list of requirements to determine if the next iteration will meet its needs. A comment could be added about it being STS's hope that EML will be the language we use as a standard.

Meeting adjourned at 12:00.

[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]


Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department