Security
and Transparency Subcommittee (STS) Conference Call
November 28, 2006
1)
Administrative Updates
2) Preview/Review of draft presentations
3) Other Items
4) Next call?
Participants:
Allan Eustis, Barbara Guttman, David Wagner, Helen Purcell, John Kelsey,
John Wack, Nelson Hastings, Quynh Dang, Ron Rivest, Sharon Laskowski,
Wendy Havens
Administrative
Updates:
-
Allan:
TGDC members should have received the advanced CD for the meeting
next week. Some papers will be revised. John Wack will send out new
ones, notebook will have the accurate copy.
-
Allan:
Sunday night reception will be in Rockville room of the hotel.
-
John
W: Wondering if TGDC should be sent an email specifying a "reading
list". Ron Rivest to send out email about what STS recommends
reading.
Preview/Review
of Draft Presentations:
John Wack
had suggesting rearranging topics on the agenda.
The current
flow of the agenda was captured as follows (discussion points that were
addressed regarding each are also included):
-
Curt
Barker leads by saying auditing is good - generically that is how
we secure systems in the world today;
[Plans
to talk about the auditability of systems from a security perspective,
general information about other auditable systems such as financial
systems, etc. This will set the stage for the talks that deal specifically
with voting systems.]
-
John
Wack builds off that - we don't know how to write good requirements
for closed box DREs;
[Concern
is that some people on the TGDC will not be happy about banning stand-alone
DREs - an aggressive discussion may ensue at the meeting. Going to
say that NIST conducted lot of research, did a lot of threat analyses,
observed elections, worked with vendors, and NVLAP test labs, and
kept coming to same conclusion - people that used VVPR machines were
more secure and most resistant to threats. NIST cannot write requirements
to make up for lack of audit capabilities in closed box DREs. Not
a good direction for VVSG 07. NIST researched IDV, and the goal is
to write requirements for paperless software IV systems that are independently
auditable.
Unable to derive general testable requirements. NIST would investigate
further, but they would be design specific. Conclusions about VVPR
and problems. We should talk about all the work that's being done
in STS and CSD, not just the material we determined would be of most
interest to the TGDC.]
-
Ron
to talk about software independence and innovation class - followed
by resolutions;
[John
Wack sent some rough draft slide to Ron last night for the SI presentation.
Also sent two draft resolutions. We need a third resolution for wireless
- an amendment to an existing resolution. Slides say STS has developed
strategy recommending software independence; possible paperless SI
approaches; what is software independence; why end-to-end would be
premature; and roadmap for new approaches to voting systems (innovation
classes). Recommendations need to be built into the 3 hour period.
[Recommendation for Resolutions: To write requirements only for SI
based systems, innovation classes being implemented, and recommendations
to EAC (?). Before the December 4 meeting, John/Ron to ask EAC if
they would like resolutions/recommendations that might be useful for
talking to Congress.
We do not know how to do software independence for blind voters. There
are lots of classes of disabilities that we do not know how to handle.
For typical voters, we want software independent systems. For voters
with disabilities, we need flexability. We need reasonable accommodations
for voters with disabilities. Verification is a tough one to figure
out. [NOTE: Software independence has to do with the auditing of the
system, not for the usage of the voter.]
Procedural defense: We need to have sighted people use the assistive
technology and vote and look at their paper record to verify their
vote. This gives you the security property you want. VVPAT is ok because
it is not the vote of record - there are accessibility problems with
VVPAT.
HFP
to discuss changes and additions made to HFP section. Sharon to think
in terms of accessibility in the voter verification process. Sharon
to include slide on "next steps".
A good strategy has been developed in how the security work should
be approach in the VVSG 07. If the SI stuff goes down in flames, do
we have a contingency plan? Yes. If we don't have an agreement from
the TGDC on SI, it will not radically change what is being done in
security analysis or the IDV.
We
want the TGDC to recommend that NIST work on the SI stuff and write
requirements for those.
What
about non-SI systems? If the TGDC says we should write requirements
for them, then the burden is on those people to say what kind of approach
should be taken.
What requirements do we write for the current set of DREs if it is
recommended we do so.]
-
John
Kelsey to discuss audit architecture and IDV - the high level approach
to writing a security standard; identifying threats and addressing
those threats
[Building
IDV is still a research problem - we're not ready to write standards
for it. Point out that problems experienced with paper systems could
get better.]
-
Other
significant changes - status, wireless with amendment of resolution
introduced by Ron, then VVPR, setup validation, electronic record
requirements - Nelson
-
Discussion/questions
should be expected regarding hardware change requirements
What
happens to grand-fathered systems, such as the closed box DREs? This
should be discussed at beginning of meeting. It deals with all 3 subcommittees
- Mark should discuss at beginning of meeting. There may be objections
because people may think that what we have now in the paper machines
may be the best we can do - there are lots of improvements that can
be made - it needs to be built from the ground up to work appropriately.
The main
point of this meeting is to be able to go out and write requirements
for VVSG 07.
Presentations
will be circulated around to STS members for vetting before meeting.
-
Allan
and John recommended new way to do teleconference. Pick issues that
would become focus of teleconference, overlapping with two or more
subcommittees.
-
Ron
Rivest to make phone calls to other TGDC members for preliminary discussions.
-
Next
teleconference will be December 19, 2006, at 10:30 a.m.
Action
Items:
|