Security and Transparency Subcommittee (STS) Conference Call
November 28, 2006


1) Administrative Updates
2) Preview/Review of draft presentations
3) Other Items
4) Next call?

Participants: Allan Eustis, Barbara Guttman, David Wagner, Helen Purcell, John Kelsey, John Wack, Nelson Hastings, Quynh Dang, Ron Rivest, Sharon Laskowski, Wendy Havens

Administrative Updates:

  • Allan: TGDC members should have received the advanced CD for the meeting next week. Some papers will be revised. John Wack will send out new ones, notebook will have the accurate copy.
  • Allan: Sunday night reception will be in Rockville room of the hotel.
  • John W: Wondering if TGDC should be sent an email specifying a "reading list". Ron Rivest to send out email about what STS recommends reading.

Preview/Review of Draft Presentations:

John Wack had suggesting rearranging topics on the agenda.

The current flow of the agenda was captured as follows (discussion points that were addressed regarding each are also included):

  • Curt Barker leads by saying auditing is good - generically that is how we secure systems in the world today;

    [Plans to talk about the auditability of systems from a security perspective, general information about other auditable systems such as financial systems, etc. This will set the stage for the talks that deal specifically with voting systems.]

  • John Wack builds off that - we don't know how to write good requirements for closed box DREs;

    [Concern is that some people on the TGDC will not be happy about banning stand-alone DREs - an aggressive discussion may ensue at the meeting. Going to say that NIST conducted lot of research, did a lot of threat analyses, observed elections, worked with vendors, and NVLAP test labs, and kept coming to same conclusion - people that used VVPR machines were more secure and most resistant to threats. NIST cannot write requirements to make up for lack of audit capabilities in closed box DREs. Not a good direction for VVSG 07. NIST researched IDV, and the goal is to write requirements for paperless software IV systems that are independently auditable.

    Unable to derive general testable requirements. NIST would investigate further, but they would be design specific. Conclusions about VVPR and problems. We should talk about all the work that's being done in STS and CSD, not just the material we determined would be of most interest to the TGDC.]

  • Ron to talk about software independence and innovation class - followed by resolutions;

    [John Wack sent some rough draft slide to Ron last night for the SI presentation. Also sent two draft resolutions. We need a third resolution for wireless - an amendment to an existing resolution. Slides say STS has developed strategy recommending software independence; possible paperless SI approaches; what is software independence; why end-to-end would be premature; and roadmap for new approaches to voting systems (innovation classes). Recommendations need to be built into the 3 hour period. [Recommendation for Resolutions: To write requirements only for SI based systems, innovation classes being implemented, and recommendations to EAC (?). Before the December 4 meeting, John/Ron to ask EAC if they would like resolutions/recommendations that might be useful for talking to Congress.

    We do not know how to do software independence for blind voters. There are lots of classes of disabilities that we do not know how to handle. For typical voters, we want software independent systems. For voters with disabilities, we need flexability. We need reasonable accommodations for voters with disabilities. Verification is a tough one to figure out. [NOTE: Software independence has to do with the auditing of the system, not for the usage of the voter.]

    Procedural defense: We need to have sighted people use the assistive technology and vote and look at their paper record to verify their vote. This gives you the security property you want. VVPAT is ok because it is not the vote of record - there are accessibility problems with VVPAT.
    HFP to discuss changes and additions made to HFP section. Sharon to think in terms of accessibility in the voter verification process. Sharon to include slide on "next steps".

    A good strategy has been developed in how the security work should be approach in the VVSG 07. If the SI stuff goes down in flames, do we have a contingency plan? Yes. If we don't have an agreement from the TGDC on SI, it will not radically change what is being done in security analysis or the IDV.
    We want the TGDC to recommend that NIST work on the SI stuff and write requirements for those.
    What about non-SI systems? If the TGDC says we should write requirements for them, then the burden is on those people to say what kind of approach should be taken.

    What requirements do we write for the current set of DREs if it is recommended we do so.]

  • John Kelsey to discuss audit architecture and IDV - the high level approach to writing a security standard; identifying threats and addressing those threats

    [Building IDV is still a research problem - we're not ready to write standards for it. Point out that problems experienced with paper systems could get better.]

  • Other significant changes - status, wireless with amendment of resolution introduced by Ron, then VVPR, setup validation, electronic record requirements - Nelson

  • Discussion/questions should be expected regarding hardware change requirements

What happens to grand-fathered systems, such as the closed box DREs? This should be discussed at beginning of meeting. It deals with all 3 subcommittees - Mark should discuss at beginning of meeting. There may be objections because people may think that what we have now in the paper machines may be the best we can do - there are lots of improvements that can be made - it needs to be built from the ground up to work appropriately.

The main point of this meeting is to be able to go out and write requirements for VVSG 07.

Presentations will be circulated around to STS members for vetting before meeting.

Other Items:

  • Allan and John recommended new way to do teleconference. Pick issues that would become focus of teleconference, overlapping with two or more subcommittees.
  • Ron Rivest to make phone calls to other TGDC members for preliminary discussions.
  • Next teleconference will be December 19, 2006, at 10:30 a.m.
Action Items:
  • Ron will be writing the next draft of the resolutions for Software Independence.
  • John Wack will be preparing the next draft of the amended wireless resolution.

Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department