Technical Guidelines Development Committee (TGDC)
Security and Transparency Subcommittee (STS) Teleconference *
June 19, 2007, 10:30 a.m.
Draft Minutes


1) Administrative Updates
2) Discussion of Security and Audit Architecture Requirements (including electronic and paper record requirements)
3) Other items
4) Next STS call Tuesday, June 26th at 10:30AM.

Attendees: Allan Eustis, Andrew Revensteid, Angela Orbaugh, Barbara Guttman, Bill Burr, Commissioner Davidson (EAC), Helen Purcell, John Kelsey, John Wack, Mat Masterson (EAC), Nelson Hastings, Patrick Gannon, Quynh Dang, Santosh Chokani, Sharon Laskowski, Wendy Havens , Rene Peralta

Administrative Updates:

  • A web page containing information for the upcoming plenary teleconference has been started. A draft agenda for the 7/3 telcon will be posted later today. There is a current version of the VVSG posted, it will be updated with more current versions when they are available. The plenary telcon meeting is scheduled to begin at 11:30 EDT on July 3rd.

Update on Security Chapters (Nelson Hastings):

  • Physical Security, Cryptography, and Communications Requirements: have been sent to John Wack for incorporation into the VVSG.
  • Access Control: Nelson is reading to check the scope, will send to STS within the next day
  • System Event Logging: Nelson forwarding to STS with the next day
  • Software Distribution and Software Installation: this section has gone through a major rework. Some requirements have been moved to volume 5. The chapter has been refocused on just software installation.
  • Setup Validation: section rescoped. Nelson in the process of editing.
  • OEVT: in the process of creating new requirements, it will be send out on Wednesday this week and will be discussed at next Tuesday's STS meeting.
  • Documentation requirements in each of these sections have been moved to the Security Documentation section.
  • Please get comments in soon, after Friday's build of the document it will not be logistically possible to do much major editing.

Audit Architecture (John Kelsey):

This section discusses the auditing steps required to be supported by a voting system. (The other sections on electronic records and VVPR discuss the records used for auditing and the requirements on them. They also contain other security requirements besides auditing ones.)

The high level purpose of the audit architecture is to discuss what auditing steps are needed to secure a voting system as software independent (SI). This is an equipment standard - the vendor must document the steps for an audit and they must be testable in the lab.

[NOTE: Remove reference to VVSG 07, just title it VVSG. NOTE: Glossary will be renamed to something like "Words with Special VVSG Meaning.]

Big changes to this section were to remove the primary focus of OEVT testing; make a high level explanation of steps; and to change from six auditing steps to four. The auditing steps to ensure persistent records from the voting system agrees are 1) pollbook audit, 2) hand audit of paper and electronic records, and 3) checking device records against final tally. The auditing steps to ensure vote capture device is interacting with the voter properly and recording votes fairly is observational testing. The big change was to get ride of parallel testing and spot parallel testing.

[NOTE: There was discussion of whether a requirement should be added in this section to explicitly say that voting systems 'shall' be SI and it was decided that John Wack would add that to the Conformance Clause section.]

Electronic Records (John Kelsey):

The high level discussion on electronic records involves how particular components (voting devices) have to exchange electronic records (e.g., VVPAT system sending vote totals and ballot images to election management system), what information must be included in those records, and how they will be protected cryptographically. It also discusses the ability needed to print out reports with certain information on them that links back to the auditing chapter.

Big change in this chapter was that John originally had a lot of discussion about certificates and a lot of overlap with the cryptography chapter. Much of that information has been cut and instead includes references to the cryptography chapter. The electronic records chapter also specifies two different final reports: an audit tally and a final tally. There are requirements here to protect voter privacy. John Kelsey requested comments from election officials about what information was needed in the final tally. Any comments are needed by cob Wednesday, June 20th.

Voter Verifiable Paper Records (VVPR) (John Kelsey):

There are two high level systems of VVPR: optical scan systems and VVPAT systems. The informational text in this chapter discusses the reasons behind VVPR - so that the voter can see their ballot to verify and so that it can be recounted. John Kelsey was not at the last TGDC plenary meeting and wanted to verify that he had captured the two major concerns from that meeting - machine readability requirements and cut sheet VVPAT requirements. [NOTE: It was pointed out that testing methods were needed to be written for the machine readable requirements. John Wack will discuss this with David Flater.]

Two issues were raised. There was concern expressed about the non-human readable information contained on an op scan system not being in a public format. It was decided by members in attendance to exclude open format on op scan systems. The other issue was regarding the rejection of paper records by a voter. It was decided to include a 'may' requirement that the system allowed for election intervention but that if it did so that the number of tries necessary before election official intervention must be configurable, and that this must be done before an election begins.

Another big issue in this section was in regards to cut sheets VVPATs. The original requirement did not allow for ballots to be split on multiple sheets - this would prevent using off the shelf printers and paper. It was changed to allow splitting cast vote records over multiple sheets. There is a new requirement that does not allow for questions to be split across sheets. Each sheet must be rejected or accepted individually. John Kelsey requested comments from the election officials.

Requirements regarding that linking between electronic records and paper records was optional was clarified. The system must be capable of producing identifiers that link the two, but it must also be capable for election officials to turn this off.

It was decided that the requirements in the VVPR section regarding batching would be deleted.


Next STS meeting is scheduled for Tuesday, June 26th. The discussion will be on OEVT.

[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]

Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department