Guidelines Development Committee (TGDC)
Attendees: Alexis Scott-Morrison, Alicia Clay, Allan Eustis, Barbara Guttman, Commissioner Davidson (EAC), David Wagner, Helen Purcell, John Wack, Mat Masterson (EAC), Nelson Hastings, Paul Miller, Quynh Dang, Rene Peralta, Ron Rivest, Santosh Chokani, Sharon Laskowski, Thelma Allen, Wendy Havens
Review of TGDC Plenary Meeting (Ron):
Most everyone on today’s telecon were in attendance at the plenary meeting. We still have a lot to do before July. Most notable discussions from the meeting were:
John Wack will put together a list of the outcome items from the meeting and circulate it to TGDC members to verify everyone is in agreement on the resolution of the items.
Voter Verification [conditional vs. unconditional] (Ron):
Ron proposed the scenario that in some case (inkavote and populex systems) even though voter verifiable records are written in human readable form, it is not possible to verify the voter’s intent was correctly recorded without auxiliary information. The term human readable may need to be changed to “human readable without encoding” or “directly human readable”. John Kelsey and Sharon Laskowski will work on this requirement as it pertains to paper records and human factors. Their proposal will be sent to TGDC members for review.
Software Distribution and Installation Requirements (Nelson):
Nelson pointed out that a lot of the material in this section was procedural and questioned whether it should be moved into another section of the VVSG. Based on the conversation at this telcon meeting Nelson will rework this chapter to break it down; installation requirements will be part of the product standard and the software distribution (more procedural aspect) will go someplace else.
Whether or not software needed to be certified by the VSTLs AND the states AND the counties was also discussed. This may be an item that should be discussed in EAC’s Best Practices or Election Management Guidelines, as the authorization structure needs to be flexible per state. VVSG’s requirements might include requiring digital signatures to check that installation is following a defined pattern or template in the installation process and several of those components may need digital signature. The determination of what components get signed and by whom should be flexible. Per STS discussion, Nelson will rewrite and re-circulate to the STS for comments.
Epollbooks (John Wack):
It was decided at the TGDC plenary meeting that e pollbooks could be used for both networking and ballot activation at the discretion of the election officials. STS now needs to write requirements for e pollbooks and ballot activators. Could the voting system’s software be configured to protect it against an attack that would involve the activation token? Should we have tokens that are only one-time use? Requirements that get written need to contain the following input: 1) tokens should only contain ballot style; 2) contain provisional ID if needed; 3) contain activation information; 4) system should contain macro for integrity checking; 5) source code review of activator looking for vulnerabilities; 6) extra OEVT; and 7) voting system can not write anything back to token except what it takes to deactivate it (No ballot choice information).
What special requirements for e pollbooks should be included? The e pollbook should identify what mode it is in, whether networked and/or ballot activation mode. The configuration should also allow for the officials to decide which mode the system is in, there should be on/off switches for the network and ballot activator. There should also be specific requirements about backups when the network goes down so that the e pollbook continues to function.
Setup validation for e pollbooks will be discussed at the June 5th STS meeting.
Plans for Security Sections (Alicia):
Alicia went over the 5 categories where she felt the security sections resided in terms of completion:
There are a couple of places throughout the other volumes that need STS input. John Wack will go through and determine what needs to be done. Ron Rivest and David Wagner have been providing (and will continue to provide) comments on other volumes of the VVSG. If there are any terms/definitions you want added, those need to be submitted.
Tuesday, June 5, 2007, at 10:30 a.m. We will cover communications, system integrity management, and setup validation. There is a possibility that we will be able to get some of the time slots originally given to CRT.
[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]
policy / security notice / accessibility statement