"e-ballot" -- Proposal for Electronic Voting, Version A

Brian High kv9x at scn.org
Thu Dec 17 18:24:05 PST 1998 

Barbara,

First, Let's move this discussion to just one email list: services at scn.org
This will be my last cross-post.  Do not "reply-to-all" if you choose to
reply. :-)

===
Short answer: I am against using encryption, and instead propose we use
standard file-level security -- meaning only the file owner and the
sysadmin (root) can read files.  This is the same security your "inbox"
has for your email.
===

"root" is the adminstrator's acount on a Unix system.  There are a handful
of SCN voluteers who have this access for adminstrative use.  Root can see
and do anything, (short of reading encrypted files for which they do not
have the decryption key).  Usually these people do not log into root
except when necesary to do specific tasks that require it.  If our
administrators use root to snoop, that is another matter.

The proposed system does not use encryption, but instead will use files
that are readable only by the file owner (e-ballot) and the human who can
access that account (votemaster) and root (because root can see everything
...).

This brings up the point that Kurt and others did; most people do not know
all of this stuff and may be skeptical and untrusting of even the most
well-planned and private system.  However, I feel that for regular
committee or IP work, the privacy is important but if somebody is not
perfectly comfortable with the technology, they do not have to use it.
Same goes for email for that matter.  The fact is, most committee work
does not need to be private and secret anyway.

We can make the system as private as personal email files can be.  That's
pretty good.  Without PGP, that is about the _best_ we could do.  I am
agaist PGP for the reasons others have mentioned: not all voters have
access to the tools they would need.  (Dumb terminals cannot do PGP unless
the PGP tools are on SCN, which is a bad idea because then PGP would be
no better that unix file security ... and we would be back where we
started.)


Anyway, there were some errors in the proposal ... and some security
holes.  The biggest error is that the statement "e-ballot will never send
passwords" should read "e-ballot will never send voter passwords to anyone
but the newly registered voter".

Also, if the voter saves their password to some file in their work
directory, it is likely that that file would be readbale by others.
Therefore voters would have to warned against doing so.

--Brian

On Thu, 17 Dec 1998, Barb Weismann wrote:

> Brian:
> I haven't read all of this, but would like to say I wish it were not open
> to "root."  Doesn't that mean everyone who has root access?  Is there any
> way to put protects around specific votes, so only one person has access,
> the Vote Master?
>
> Thanks for this very interesting approach.
> Barb
>
>



* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *

More information about the scn mailing list