Security and Transparency Subcommittee (STS) Conference Call
Tuesday, November 14, 2006, 10:30 a.m.


1) Administrative Updates
2) SW independent/dependent path forward
3) Revised TGDC December meeting agenda for STS (See attachment TGDC Agenda_draft_110806.pdf)
4) Clarification of content for security documentation requirements
5) Other Items
6) Next call Tuesday, November 21, 2006 at 10:30AM.

Participants: Alicia Clay, Allan Eustis, Bill Burr, David Flater, David Wagner, Commissioner Donetta Davidson, Helen Purcell, John Wack, Nelson Hastings, Patrick Gannon, Quynh Dang, Rene Peralta, Ron Rivest, Santosh Chokhani, Sharon Laskowski, Steve Berger, Wendy Havens

Administrative Updates:

  • Allan: EAC/NIST are starting to plan when the next TGDC meeting after December will be. Tentatively week of March 15-16 or 20-25 are in play.

Review of EAC/NIST/TGDC Meeting on November 13

  • John W: Ron had sent his software independent paper to the EAC. John is writing Bill Burr's version of this combined with an internal NIST paper focusing on what we'll be presenting - a white paper outlining our strategy. Donetta Davidson will email Brian's concerns about this paper for Ron and John's response.

  • Issue from meeting: Are we making big changes in VVSG 07 or not? Discussion of Incremental changes how state laws may have some affect on those changes.

  • We should discuss where we are and what we have left to do for the December meeting.

  • Ron: We need to nail down as much as possible for the security and risk management piece.

  • The software independent system was discussed a lot, both specifically and in regards to what it means to the larger picture of other kinds of voting systems.

  • Black box DREs without software independence would not be certified under the new system.

  • Two categories of voting systems: independent dual verification (viability in the marketplace) and end-to-end cryptographic systems which would be software independent, but we could be more specific about the kind of requirements we write for them. Coming back from the EAC/NIST meeting with a clearer view that the independent dual verification system not be excluded.

  • Alicia question: When Mark Skall said he wanted us to move forward on the innovation class, does he want us to write requirements to get certified or the process? There was discussion but no conclusions. We could probably write high level requirements, but we definitely need more discussion. This should be brought to full TGDC committee. Is it enough to say "we want to encourage innovation; we realize it's not happening fast enough"? How do we stimulate vendors to produce a new designs. We should have an open door policy - we need a certification process that makes it clear that they can request certification of a system that involves innovative approaches.

  • There was discussion about disabled voters and accessibility and how it relates to software independence and voter verification. Whitney Q will help work on the white paper.

  • Everyone on the EAC/NIST call felt comfortable with our approach on wireless.

  • OEVT was mentioned, not much time for discussing.

  • Also discussion led by Whitney and Dan on their subcommittees priorities.

  • Donetta: EAC has testified before congress that VVSG 07 will be delivered in July 07 and we cannot change our timeframe. We need to prioritize the most important elements in the security area that we need to address. We need to evaluate the security risks and how they fall into place. Think about cost factor. Think about time element - TGDC needs to give guidance about how long it will take manufacturers to meet requirements. Will EAC be holding a hearing with the vendors to get their feedback? This should be brought up at ITAA vendor meeting. EAC is going to have a summit about the costs of doing certification.

  • Helen feels that they were rushed before with the VVSG 2005 standards and buying voting equipment to comply with HAVA and does not want that to happen again.

  • Donetta hopes election officials will ask questions at the TGDC meeting so that they understand what we are doing with VVSG 2007.

Software Independent/Dependent Path Forward

We seem to be making good progress for the December TGDC meeting. We don't support software dependent systems, so black box DREs will not be certified. But there is the innovation class if someone has something new.

How do we best move forward with this thrust at the meeting? We have the paper John is revising. Do we need a resolution? Ron will be making a presentation at the meeting. We need to determine what is the best approach?

John: From an engineering point of view, the DRE architecture is not something we should put forth. The threats say this is not a good architecture. In general, it was something rushed to the market and does not have an audit trail. That is the reason we should give for not going this route in VVSG 07. Not suitable for the future.

Bill B: Accepting stand alone DREs is saying that security is not very relevant. The system should be designed from the ground up to be audited. If you accept these DREs as is, your avoiding the possibility of errors or the possibility of someone manipulating the code.

Barbara: In the context of error, in regards to the situation in Sarasota, FL, 18,000 votes may have been lost. This is where doing forensics on the machines becomes important. After the analysis, it might be interesting to use in our presentations. Paper trails may not have helped in this situation. However, we don't know what happened. Patrick is in Sarasota. Each county designs its own ballot. Is this a software problem or a ballot design problem? What are we doing in this committee that could have helped? If it was a software glitch, definitely the stuff on software independent would; whether the setup validation should be written in a way that's useful for post election checking.

John K: Is there a process in various states to look at the machines in a forensics way, take them apart? Donetta feels that could wipe out election results if they didn't know what they were doing. Need to do examination like computer/criminal forensics. States have nothing set up.

What happens if L&A tests pass before election but fail after? Answer- Review of whole election.
In DREs, is the ballot image kept on the machine or memory card? Answer- Both with an audit trail.

In getting back to TGDC, it looks like we can come up with good reasons why we're not writing requirements for stand-alone DREs. What are we going to do with the requirements (high-level or not) for the IV systems? Propose we have requirements to certify against or build against? If someone wants to propose a software dependent system like IV, it must go through the innovation class mechanism for evaluating.

EAC is looking at this committee for leadership trying to architect approaches within the class of IV that people can build to. This may be hard for this committee to do. However, there is an expectation on this subcommittee that we try to clarify our feelings and technical issues with this area and try and position the IV system somehow so that someone could propose a system in this area and what kind of architecture fits. The innovation class is hard to design.

We can not shut the door and say the paper is the way we're going to go. There are continuing problems and issues. Having it as the only thing would be bad, but having it as a check on the electronic record is very viable approach.

What we're saying is right now what we know is how to write standards for are paper systems if we want them to be auditable. We would like to write them for electronic and end-to-end systems but we don't know how to do that yet. Ron thinks we can do high level for both, David for end-to-end, challenging but feasible, IV impossible. Rene Peralta disagrees, he thinks we can write specs for IV.

John W: Good for December meeting to get the points across and maybe come with some high level requirements, but writing them by the meeting may be impossible. Maybe a short white paper.

Alicia: If we go into the Dec. meeting with requirements for paper, and high level requirements for systems we're putting in the innovation class that we're not going to be certifying against, we will be saying people have to use paper. Ron thinks even if the requirements are high level for the innovation class , there will be a rigorous process for achieving certification.

It sounds like we're saying the door is open for other systems, but not very far. It could be a 5 or 10 year process. From the time a vendor designs, builds, tests to go through our process which is probably not going to be a quick process.

Donetta: Have you talked to the vendors to see about the future to see if they plan to come up with a different type of voting system at various levels of abstraction. The vendors think that VVPAT is not the way to go, that the DRE architecture is fine. We should be looking at secure system approaches to building better DREs. Not looking at other forms of IV.

To build a secure system out of a functionally insecure architecture, you'd have to start from scratch.

We're giving the vendors limited amounts of freedom, limiting the available options to the vendor, specifically printers, there's a lot we can do about what printing technology would hold up to this use scenario. It should be easy to do a solid audit trail - we should be able to do something that would record keystrokes off the machines.

John W: Strategy was agreed at last conference call, which is what we briefed Bill Jeffrey on. Much confusion on our strategy after EAC/NIST/TGDC meeting on Monday. Innovation class versus the IV class. Certification path for the innovation class was agreed upon. Hearing agreement about IV, Ron and David feel not worth going down, others disagree. Feels there should be discussion at TGDC meeting why IV is difficult.

Software dependent machines much have very strong requirements.

John Kelsey would be able to discuss proof of concepts at the TGDC meeting.

Bill B: If we go in with an absolute notion of software independence and an absolution notion of voter privacy and secret ballots, can we develop systems that do both? David W: YES. These things can be done, they're challenging but can be accomplished. Is it possible to get an end-to-end system certified now if you showed it couldn't be worse than a certified system? Risky.

Agenda for December TGDC Meeting

STS has three hours. Draft agenda as proposed after discussion:

#1 - Restructuring the security components of VVSG 2007

  • New architecture with audit base
  • Related, high level testing expectations (will include discussion of OEVT and security documentation)

#2 - Position on SW dependent systems and the innovation class alternative

#3 - Significant changes in requirements

  • Wireless
  • Changes to HW
  • Set-up validation - (as time permits)
  • New VVPR requirements - as time permits
  • New electronic records requirements - as time permits
  • Others?

Meeting Concluded: 12 Noon.

Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department