Guidelines Development Committee (TGDC)
Attendees: Angela Orbaugh, Barbara Guttman, Bill Burr, David Wagner, Helen Purcell, John Wack, Karen Scarfone, Mat Masterson (EAC), Nelson Hastings, Patrick Gannon, Quynh Dang, Ron Rivest, Sharon Laskowski, Wendy Havens
System Integrity Management and Set-up Validation (Barbara/Nelson):
These chapters were discussed together because there seems to be a lot of overlap between integrity management and setup validation. David Wagner had originally questioned whether setup validation would be doable based on costs and engineering. It was agreed that it was doable. Possibilities for handling it and security risks were discussed. Nelson’s big question for the group was if, when doing system integrity management, you do integrity checks on the boot process, testing operating system before loading, and checking integrity of applications before they are loaded, do we still need setup validation? System integrity management is a preventive mechanism (don’t boot unless valid version appropriately signed), where setup validation is a discovery mechanism (to learn what’s on the system). Possible mechanisms for handling integrity management were discussed. Ron felt that the technology is available via several options and is doable.
The question about who signs and when was discussed. Key management was discussed and it appears that it should be relatively simple and cost effective if done using integrity management checking. A requirement for having the vendor specify a trust model for the secure booting of software, what digital signatures are needed and how they are created, who would sign the software and where, and a users manual will be the first step.
A consensus was reached to back off on setup validation requirements, making this section smaller and talking about forensics capabilities where it would be possible for labs to read the state of the systems after the fact; and instead to put emphasis on making sure that the machines do appropriate checking of signatures during boot up process, making sure only valid software is running. Nelson will get new requirements versions out, setup validation will be appropriately renamed and possibly moved to another section.
Specific questions about backup were addressed – requirements should only pertain to EMS systems so the scope in the requirement needs to change. The malware requirement needs to be more specific to talk about spyware and antivirus software.
This section has been condensed and streamlined compared to the VVSG 05. It has been broken out in three different protection levels: physical communication, transmission of information, and communications related to the voting application itself. Feedback from the STS was requested:
Meeting adjourned at 11:50 a.m.
[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]
policy / security notice / accessibility statement