and Transparency Subcommittee (STS) Conference Call *
Participants: Alicia Clay, Allan Eustis, Angela Orebaugh, Barbara Guttman, Bill Burr, David Flater, David Wagner, Helen Purcell, John Cugini, John Wack, Nelson Hastings, Patrick Gannon, Philip Pearce, Quynh Dang, Rene Peralta, Santosh Chokhani, Wendy Havens
Cross Subcommittee Topics:
COTS: A discussion took place of the proposal by CRT. The discussion paper suggested having a list of approved COTS software that can be used in voting systems. This suggestion would require EAC support and buy-in in order for it to be implemented. Discussion papers clarifies relevant concepts - everything submitted is NOT either COTS or non-COTS. Paper contains more precise definitions. It deals with the applicability of requirements to COTS.
David Flater inquired if there was any feedback/comments to the paper. David Wagner (with no objections) stated that STS agrees with CRT's approach to COTS. David W will send an email to Ron Rivest regarding trusted COTS to see if there are any issues he would like to raise.
HFP: John was asked to expound on Whitney's end-to-end paper and on his SI/Accessibility paper.
John outlined the thesis of the end-to-end paper: main problem is how/whether to achieve comparable verifiability for blind voters as for sighted. Main technical suggestions so far seem to be: a. non-vendor-dep't OCR and b. audio tape. Are these feasible? Are they SI? Not knowing where Whitney stands on some topics, John preferred not to comment any further.
Discussion on SI/Accessibility paper: STS subcommittee felt we need to distinguish two goals: first, protect election versus second, enable individual voter verification - do the two specific approaches suggested for blind voter verification meet the need, i.e. would they count as SI-type voter verifiability?
David Wagner suggested that maybe Goal #1 must be strictly SI, but Goal #2 need not be - the implication is that plain old audio verification (clearly non-SI) for blind voters is good enough as long as the mechanism is checked thoroughly enough not to endanger the election. That is, maybe the Acc-VS itself need not be SI?
The issue is whether the VVSG mandates an expensive/high-tech approach that is (arguably) SI, or whether the cheaper/low-tech, but non-SI, approach is good enough.
Rene Peralta noted that the TGDC adopted Goal #2 in the SI resolution passed in December.
David Wagner suggested that SI does not rule out software to read the record of the vote.
Discussion followed on two potential methods for verification. Are these good security approaches? U.S. Access Board concept of "complimentary accessibility" mentioned. What is the merger of adequate accessibility with adequate security?
Philip Pearce emphasized that accessibility requirement extends beyond blind to low vision, and cognitive disabilities.
Barbara Guttman recommended that accessible voting station (both audio and print output) should be able to be verified by all voters. Discussion of direct/indirect verification by both blind and sighted voters followed. Conclusion that the best we can do is to maximize the number voters that can verify their vote. (Philip Pearce will get input from U.S.Access Board on these issues).
Concern at this time with interoperability standards; they will be a focus of next STS meeting. Dave Flater recommended considering using "mays" in some of these requirements to not preclude solutions..
SI and Set Up Validation
Nelson Hastings summarized the papers. Discussion of software related requirements in set up followed including digital signatures and (trusted) external port issues. David Wagner suggested you need to be more precise as to applicability. Make digital signature requirement a "shall".
With external port, architectural changes in the hardware of voting systems are required. This is expensive.
Should we eliminate software integrity requirements because of SI? Option two would be to modify software integrity requirements- make them "shoulds". There are cost issues; Plausible to make trusted external port as a "should" requirement.
Wagner noted that SI does not solve some threats such as denial of service
Nelson brought up issues of performance metrics/techniques. David suggested stating goal and listing accessible modes and performance based techniques. Need testable requirements. Concern expressed with use of the word "Trusted" with external port.
Suggestion to look at gaming industry set up requirements. John Wack will send out e-mail.
5) Next call Tuesday, February 20, 2007 @ 10:30 AM EST
[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference discussion served the purposes of the STS subcommittee of the TGDC to direct NIST and coordinate its voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]
policy / security notice / accessibility statement