Technical Guidelines Development Committee (TGDC)
Security and Transparency Subcommittee (STS) Teleconference *
June 5, 2007, 10:30 a.m.

Draft Agenda

1) Administrative Updates
2) Review of the TGDC meeting
3) Discussion of Communication requirements
4) Discussion of System Integrity Management requirements
5) Discussion of Setup Validation using an external device
6) Other items
7) Next STS call Tuesday, June 12th at 10:30AM.

Attendees:  Angela Orbaugh, Barbara Guttman, Bill Burr, David Wagner, Helen Purcell, John Wack, Karen Scarfone, Mat Masterson (EAC), Nelson Hastings, Patrick Gannon, Quynh Dang, Ron Rivest, Sharon Laskowski, Wendy Havens

Administrative Updates:

  • John Wack:  We are consolidating TGDC member comments to the VVSG chapters.   The subcommittees are tracking appropriate comments and processing.  At the end we should have a good explanation about how each comment was handled.
  • Allan:  Public comments are posted on the web  Please review.
  • Allan:  We are proceeding ahead for the July 3 plenary teleconference (Tentative start 11:30 am EDT.)

System Integrity Management and Set-up Validation (Barbara/Nelson):

These chapters were discussed together because there seems to be a lot of overlap between integrity management and setup validation.  David Wagner had originally questioned whether setup validation would be doable based on costs and engineering.  It was agreed that it was doable.  Possibilities for handling it and security risks were discussed.  Nelson’s big question for the group was if, when doing system integrity management, you do integrity checks on the boot process, testing operating system before loading, and checking integrity of applications before they are loaded, do we still need setup validation?  System integrity management is a preventive mechanism (don’t boot unless valid version appropriately signed), where setup validation is a discovery mechanism (to learn what’s on the system).  Possible mechanisms for handling integrity management were discussed. Ron felt that the technology is available via several options and is doable. 

The question about who signs and when was discussed.  Key management was discussed and it appears that it should be relatively simple and cost effective if done using integrity management checking.  A requirement for having the vendor specify a trust model for the secure booting of software, what digital signatures are needed and how they are created, who would sign the software and where, and a users manual will be the first step.

A consensus was reached to back off on setup validation requirements, making this section smaller and talking about forensics capabilities where it would be possible for labs to read the state of the systems after the fact; and instead to put emphasis on making sure that the machines do appropriate checking of signatures during boot up process, making sure only valid software is running.  Nelson will get new requirements versions out, setup validation will be appropriately renamed and possibly moved to another section.

Specific questions about backup were addressed – requirements should only pertain to EMS systems so the scope in the requirement needs to change.  The malware requirement needs to be more specific to talk about spyware and antivirus software.

Communications (Nelson):

This section has been condensed and streamlined compared to the VVSG 05.  It has been broken out in three different protection levels: physical communication, transmission of information, and communications related to the voting application itself.  Feedback from the STS was requested:

  • Ron had minor comments: using the term “as necessary” might be too vague.  Cryptography checks are not defined – what are you talking about with integrity protection – setup requirements are needed.
  • David W: When talking about physical security requirements (1.2.1), it should be clearly stated that there are only two allowed scenarios for externally networking on Election Day and spell them out here.
  • Patrick Gannon: Concerned that the section that limits to one active interface is too restrictive.  Nelson to review/rework.
  • Ron: The phrase about preventing inbound and outbound attacks needs to be reworded because we can’t prevent these attacks.

Next Meeting:

  • Tuesday, June 12, 2007
  • Topics to include:  epollbooks, OEVT, and uncertain/difficult requirements


  • Ron agreed with comments sent in by David Wagner regarding Volume 5 and making sure the tests match the requirements being written.  Barbara pointed out that volume 5 is meant to be the testing infrastructure, there is still a lot of work to be done for creating the tests after the standards are written.
  • John Wack sent out a paper on ballot activation requirements, please provide feedback before the next STS meeting.

Meeting adjourned at 11:50 a.m.

[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]

Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department