Guidelines Development Committee (TGDC)
Attendees: Allan Eustis, Andrew Revensteid, Angela Orbaugh, Barbara Guttman, Bill Burr, Commissioner Davidson (EAC), Helen Purcell, John Kelsey, John Wack, Mat Masterson (EAC), Nelson Hastings, Patrick Gannon, Quynh Dang, Santosh Chokani, Sharon Laskowski, Wendy Havens , Rene Peralta
Update on Security Chapters (Nelson Hastings):
Audit Architecture (John Kelsey):
This section discusses the auditing steps required to be supported by a voting system. (The other sections on electronic records and VVPR discuss the records used for auditing and the requirements on them. They also contain other security requirements besides auditing ones.)
The high level purpose of the audit architecture is to discuss what auditing steps are needed to secure a voting system as software independent (SI). This is an equipment standard - the vendor must document the steps for an audit and they must be testable in the lab.
[NOTE: Remove reference to VVSG 07, just title it VVSG. NOTE: Glossary will be renamed to something like "Words with Special VVSG Meaning.]
Big changes to this section were to remove the primary focus of OEVT testing; make a high level explanation of steps; and to change from six auditing steps to four. The auditing steps to ensure persistent records from the voting system agrees are 1) pollbook audit, 2) hand audit of paper and electronic records, and 3) checking device records against final tally. The auditing steps to ensure vote capture device is interacting with the voter properly and recording votes fairly is observational testing. The big change was to get ride of parallel testing and spot parallel testing.
[NOTE: There was discussion of whether a requirement should be added in this section to explicitly say that voting systems 'shall' be SI and it was decided that John Wack would add that to the Conformance Clause section.]
Electronic Records (John Kelsey):
The high level discussion on electronic records involves how particular components (voting devices) have to exchange electronic records (e.g., VVPAT system sending vote totals and ballot images to election management system), what information must be included in those records, and how they will be protected cryptographically. It also discusses the ability needed to print out reports with certain information on them that links back to the auditing chapter.
Big change in this chapter was that John originally had a lot of discussion about certificates and a lot of overlap with the cryptography chapter. Much of that information has been cut and instead includes references to the cryptography chapter. The electronic records chapter also specifies two different final reports: an audit tally and a final tally. There are requirements here to protect voter privacy. John Kelsey requested comments from election officials about what information was needed in the final tally. Any comments are needed by cob Wednesday, June 20th.
Voter Verifiable Paper Records (VVPR) (John Kelsey):
There are two high level systems of VVPR: optical scan systems and VVPAT systems. The informational text in this chapter discusses the reasons behind VVPR - so that the voter can see their ballot to verify and so that it can be recounted. John Kelsey was not at the last TGDC plenary meeting and wanted to verify that he had captured the two major concerns from that meeting - machine readability requirements and cut sheet VVPAT requirements. [NOTE: It was pointed out that testing methods were needed to be written for the machine readable requirements. John Wack will discuss this with David Flater.]
Two issues were raised. There was concern expressed about the non-human readable information contained on an op scan system not being in a public format. It was decided by members in attendance to exclude open format on op scan systems. The other issue was regarding the rejection of paper records by a voter. It was decided to include a 'may' requirement that the system allowed for election intervention but that if it did so that the number of tries necessary before election official intervention must be configurable, and that this must be done before an election begins.
Another big issue in this section was in regards to cut sheets VVPATs. The original requirement did not allow for ballots to be split on multiple sheets - this would prevent using off the shelf printers and paper. It was changed to allow splitting cast vote records over multiple sheets. There is a new requirement that does not allow for questions to be split across sheets. Each sheet must be rejected or accepted individually. John Kelsey requested comments from the election officials.
Requirements regarding that linking between electronic records and paper records was optional was clarified. The system must be capable of producing identifiers that link the two, but it must also be capable for election officials to turn this off.
It was decided that the requirements in the VVPR section regarding batching would be deleted.
ANY COMMENTS TO ANY OF THIS MATERIAL SHOULD BE SUBMITTED IMMEDIATELY.
STS meeting is scheduled for Tuesday, June 26th. The discussion
will be on OEVT.
[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]
policy / security notice / accessibility statement