Technical Guidelines Development Committee (TGDC)
Security and Transparency Subcommittee (STS) Teleconference *
May 29, 2007, 10:30 a.m.

Draft Agenda

1) Administrative Updates
2) Review of TGDC Plenary Meeting
3) Discussion of Voter Verification - Ron Rivest
4) Discussion of Software Distribution and Installation Requirements
5) Other items
6) Next STS Teleconference - Tuesday, June 5, 2007

Attendees:  Alexis Scott-Morrison, Alicia Clay, Allan Eustis, Barbara Guttman, Commissioner Davidson (EAC), David Wagner, Helen Purcell, John Wack, Mat Masterson (EAC), Nelson Hastings, Paul Miller, Quynh Dang, Rene Peralta, Ron Rivest, Santosh Chokani, Sharon Laskowski, Thelma Allen, Wendy Havens

Administrative Updates:

  • Plans for the upcoming TGDC plenary teleconference are underway.  We’re looking at the week of July 2 – most likely the meeting will be on July 3rd.  Allow about 3 hours for the call.  Allan will send out date and time soon.
  • The unofficial closed caption transcripts of the May plenary have been posted.  We have put a rush order in for the official transcripts.

Review of TGDC Plenary Meeting (Ron):

Most everyone on today’s telecon were in attendance at the plenary  meeting.  We still have a lot to do before July.  Most notable discussions from the meeting were:

  • E poll books (switching the consensus to allow them to be both networked and ballot activators)
  • Multi-sheet paper ballots (appears these are necessary to allow)
  • Barcodes (OK to use)
  • VVPAT (requiring human readable to also be machine readable)

John Wack will put together a list of the outcome items from the meeting and circulate it to TGDC members to verify everyone is in agreement on the resolution of the items.

Voter Verification [conditional vs. unconditional] (Ron):

Ron proposed the scenario that in some case (inkavote and populex systems) even though voter verifiable records are written in human readable form, it is not possible to verify the voter’s intent was correctly recorded without auxiliary information.  The term human readable may need to be changed to “human readable without encoding” or “directly human readable”.  John Kelsey and Sharon Laskowski will work on this requirement as it pertains to paper records and human factors.  Their proposal will be sent to TGDC members for review.

Software Distribution and Installation Requirements (Nelson):

Nelson pointed out that a lot of the material in this section was procedural and questioned whether it should be moved into another section of the VVSG.  Based on the conversation at this telcon meeting Nelson will rework this chapter to break it down; installation requirements will be part of the product standard and the software distribution (more procedural aspect) will go someplace else.

Whether or not software needed to be certified by the VSTLs AND the states AND the counties was also discussed.  This may be an item that should be discussed in EAC’s Best Practices or Election Management Guidelines, as the authorization structure needs to be flexible per state.  VVSG’s requirements might include requiring digital signatures to check that installation is following a defined pattern or template in the installation process and several of those components may need digital signature.  The determination of what components get signed and by whom should be flexible.  Per STS discussion, Nelson will rewrite and re-circulate to the STS for comments.

Epollbooks (John Wack):

It was decided at the TGDC plenary meeting that e pollbooks could be used for both networking and ballot activation at the discretion of the election officials.  STS now needs to write requirements for e pollbooks and ballot activators.  Could the voting system’s software be configured to protect it against an attack that would involve the activation token?  Should we have tokens that are only one-time use?  Requirements that get written need to contain the following input:  1) tokens should only contain ballot style; 2) contain provisional ID if needed; 3) contain activation information; 4) system should contain macro for integrity checking; 5) source code review of activator looking for vulnerabilities; 6) extra OEVT; and 7) voting system can not write anything back to token except what it takes to deactivate it (No ballot choice information).
What current VVSG requirements should apply to e pollbooks?  It appears that most requirements (except the ones specific to voters) should apply to e pollbooks as well as the voting system.  John Wack will go through the requirements to double check this.

What special requirements for e pollbooks should be included?  The e pollbook should identify what mode it is in, whether networked and/or ballot activation mode.  The configuration should also allow for the officials to decide which mode the system is in, there should be on/off switches for the network and ballot activator.  There should also be specific requirements about backups when the network goes down so that the e pollbook continues to function.

Setup validation for e pollbooks will be discussed at the June 5th STS meeting.

Plans for Security Sections (Alicia):

Alicia went over the 5 categories where she felt the security sections resided in terms of completion:

Done:  cryptography; access control; system event logging

Received Direction from STS/Not Completed:  paper records (John K/Sharon L – human readable w/out auxiliary information); physical security; software distribution and installation; security documentation; innovation class; text on OEVT; electronic records

Done but No Feedback from STS: audit strategy

Items Still Need to be Circulated: system integrity management; communications

Need Direction:  setup validation

There are a couple of places throughout the other volumes that need STS input.  John Wack will go through and determine what needs to be done.  Ron Rivest and David Wagner have been providing (and will continue to provide) comments on other volumes of the VVSG.  If there are any terms/definitions you want added, those need to be submitted.

Next Meeting:

Tuesday, June 5, 2007, at 10:30 a.m.  We will cover communications, system integrity management, and setup validation.  There is a possibility that we will be able to get some of the time slots originally given to CRT.

[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]

Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department