Guidelines Development Committee (TGDC)
Attendees: Alexia Scott-Morrison, Alicia Clay, Allan Eustis, Angela Orbaugh, Barbara Guttman, Bill Burr, Commissioner Davidson (EAC), David Wagner, Helen Purcell, John Kelsey, John Wack, Mat Masterson (EAC), Nelson Hastings, Patrick Gannon, Philip Pearce, Quynh Dang, Ron Rivest, Santosh Chokani, Wendy Havens
OEVT (Alicia Clay):
Ron Rivest feels that OECT represents important progress over the VVSG 2005. The OEVT requirements draft (which goes in Volume 5, Sections 3.4 and 5.5) was discussed in detail with specific changes noted. (See Rivest e-mail notes at below).The introductory section was taken from Santosh Chokani's white paper. The goals of OEVT were outlined "The goal of OEVT is to discover architecture, design and implementation flaws that have crept into the system which may not be detected using systematic functional, reliability, and security testing and which can be exploited to change the outcome of an election, interfere with voters' ability to cast ballots or have their votes counted during an election or compromise the secrecy of vote. The goal of OEVT also includes attempts to discover logic bombs, time bombs or other Trojan Horses that may have been introduced in the system hardware, firmware or software for said purposes."
The paper has a handful of requirements and discusses how the team should prioritize. John Kelsey inquired about intermediate attack goals, and was informed that they were still be taken into consideration. There is a requirement that states that you do not have to full exploit the vulnerability to point it out. Requirements have been added for reporting results and for what the testing labs are required to do. OEVT team is part of the testing lab function.
It was decided that the paper was in pretty good shape and just needed some polishing. Alicia will work in changes and forward out to STS members shortly.
The issue was discussed about what happens when a system fails OEVT. It was decided this was a matter for EAC and the testing labs. If a system fails, it will generally not be an easy fix before resubmission. Will it have to start at the beginning or should there be intermediate testing? Reevaluation is different and not the focus of the VVSG.
It was questioned whether testing results would be made public. Mat Masterson to research and report back to group. There may be proprietary vendor issues.
Epoll Books (John Wack):
Requirements for epoll books were revisited. John had sent out the latest draft and received a few responses back. A few questions remained that were discussed with the group. It was decided that patching/updates should be handled in the system integrity management section of the VVSG. John had put in two "should" requirements and asked the group for agreement/disagreement of keeping these in. 1) Activation devices should not be reusable and 2) Devices should only be big enough to contain necessary information. It was decided to leave the non-reusable requirement in as long as it was a should. The group would leave the size requirement in but change the scope to be include token and interface should be restricted in size. John was given the editing token to make changes to document and forward to the TGDC as a whole.
meeting scheduled for Tuesday, June 19, 2007. The main topic will
be the auditing sections. STS will also try to get some time to meet
after the CRT meeting this week on the 14th. (Note this is the case
and STS invited to join telcon on 7/14 at 11 am.
[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]
policy / security notice / accessibility statement