and Transparency Subcommittee (STS) Conference Call
November 28, 2006
2) Preview/Review of draft presentations
3) Other Items
4) Next call?
Allan Eustis, Barbara Guttman, David Wagner, Helen Purcell, John Kelsey,
John Wack, Nelson Hastings, Quynh Dang, Ron Rivest, Sharon Laskowski,
TGDC members should have received the advanced CD for the meeting
next week. Some papers will be revised. John Wack will send out new
ones, notebook will have the accurate copy.
Sunday night reception will be in Rockville room of the hotel.
W: Wondering if TGDC should be sent an email specifying a "reading
list". Ron Rivest to send out email about what STS recommends
of Draft Presentations:
had suggesting rearranging topics on the agenda.
flow of the agenda was captured as follows (discussion points that were
addressed regarding each are also included):
Barker leads by saying auditing is good - generically that is how
we secure systems in the world today;
to talk about the auditability of systems from a security perspective,
general information about other auditable systems such as financial
systems, etc. This will set the stage for the talks that deal specifically
with voting systems.]
Wack builds off that - we don't know how to write good requirements
for closed box DREs;
is that some people on the TGDC will not be happy about banning stand-alone
DREs - an aggressive discussion may ensue at the meeting. Going to
say that NIST conducted lot of research, did a lot of threat analyses,
observed elections, worked with vendors, and NVLAP test labs, and
kept coming to same conclusion - people that used VVPR machines were
more secure and most resistant to threats. NIST cannot write requirements
to make up for lack of audit capabilities in closed box DREs. Not
a good direction for VVSG 07. NIST researched IDV, and the goal is
to write requirements for paperless software IV systems that are independently
Unable to derive general testable requirements. NIST would investigate
further, but they would be design specific. Conclusions about VVPR
and problems. We should talk about all the work that's being done
in STS and CSD, not just the material we determined would be of most
interest to the TGDC.]
to talk about software independence and innovation class - followed
Wack sent some rough draft slide to Ron last night for the SI presentation.
Also sent two draft resolutions. We need a third resolution for wireless
- an amendment to an existing resolution. Slides say STS has developed
strategy recommending software independence; possible paperless SI
approaches; what is software independence; why end-to-end would be
premature; and roadmap for new approaches to voting systems (innovation
classes). Recommendations need to be built into the 3 hour period.
[Recommendation for Resolutions: To write requirements only for SI
based systems, innovation classes being implemented, and recommendations
to EAC (?). Before the December 4 meeting, John/Ron to ask EAC if
they would like resolutions/recommendations that might be useful for
talking to Congress.
We do not know how to do software independence for blind voters. There
are lots of classes of disabilities that we do not know how to handle.
For typical voters, we want software independent systems. For voters
with disabilities, we need flexability. We need reasonable accommodations
for voters with disabilities. Verification is a tough one to figure
out. [NOTE: Software independence has to do with the auditing of the
system, not for the usage of the voter.]
Procedural defense: We need to have sighted people use the assistive
technology and vote and look at their paper record to verify their
vote. This gives you the security property you want. VVPAT is ok because
it is not the vote of record - there are accessibility problems with
to discuss changes and additions made to HFP section. Sharon to think
in terms of accessibility in the voter verification process. Sharon
to include slide on "next steps".
A good strategy has been developed in how the security work should
be approach in the VVSG 07. If the SI stuff goes down in flames, do
we have a contingency plan? Yes. If we don't have an agreement from
the TGDC on SI, it will not radically change what is being done in
security analysis or the IDV.
want the TGDC to recommend that NIST work on the SI stuff and write
requirements for those.
about non-SI systems? If the TGDC says we should write requirements
for them, then the burden is on those people to say what kind of approach
should be taken.
What requirements do we write for the current set of DREs if it is
recommended we do so.]
Kelsey to discuss audit architecture and IDV - the high level approach
to writing a security standard; identifying threats and addressing
IDV is still a research problem - we're not ready to write standards
for it. Point out that problems experienced with paper systems could
significant changes - status, wireless with amendment of resolution
introduced by Ron, then VVPR, setup validation, electronic record
requirements - Nelson
should be expected regarding hardware change requirements
happens to grand-fathered systems, such as the closed box DREs? This
should be discussed at beginning of meeting. It deals with all 3 subcommittees
- Mark should discuss at beginning of meeting. There may be objections
because people may think that what we have now in the paper machines
may be the best we can do - there are lots of improvements that can
be made - it needs to be built from the ground up to work appropriately.
point of this meeting is to be able to go out and write requirements
for VVSG 07.
will be circulated around to STS members for vetting before meeting.
and John recommended new way to do teleconference. Pick issues that
would become focus of teleconference, overlapping with two or more
Rivest to make phone calls to other TGDC members for preliminary discussions.
teleconference will be December 19, 2006, at 10:30 a.m.