OVC standards of conduct

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Sun Aug 17 2003 - 12:10:50 CDT

Arthur Keller <arthur@kellers.org> wrote:
|The OVC is a trade organization that includes *service
|providers* of the production software we create. I suggest that the
|OVC include standards of conduct and performance for *service
|providers* to become members. Under the terms of the proposed GPL
|license, OVC members (or non-members for that matter) could use the
|software for free and could sell installation and maintenance
|services to election boards. Competition would exist for such
|services in price, quality, and "localness."

I know it's premature to make any real decisions on what an OVC charter
might say. But maybe not THAT premature. There's a consideration I'd
like to at least put in people's minds.

There is a difference between what OVC members would do and what many
other vendors of Free Software-based turn-key solutions do. And that's
that there's a different relevant standard of accountability and
security.

For example, lots of companies will sell me a PC with Linux and other
GPL software pre-installed on it. And companies like Linksys make
things like home routers that use some of the same software, but less
obviously exposed to users. And vending machines or kiosks might well
utilize Free software, or at least open standards. But in all those
cases, if the vendor does what they do badly, all I've really lost is
the cost of the turn-key machine.

With an improperly configured (i.e. tamper prone) implementation of
EVM/GPL (or whatever the name), what the buyer loses is fair elections.
Which makes me thing that OVC members should commit to appropriate
security and audit practices as part of membership.

However, I don't think a charter can be TOO specific about this. If we
wrote that "ballots must be signed with an N-bit RSA key" or
"transmissions must utilize SFTP protocol" or the like, those specifics
might become out-of-date with evolving security "best practices."
Nonetheless, I think we are going to know some minimal protocol
requirements that would be necessary for ANY proper vendor
implementation; and I also think it is possible to include some general
language like "members will maintain 'best current cryptographic
practices' on ballot security issues."

Yours, David...

--
 mertz@   _/_/_/_/_/_/_/ THIS MESSAGE WAS BROUGHT TO YOU BY:_/_/_/_/ v i
gnosis  _/_/                    Postmodern Enterprises         _/_/  s r
.cx    _/_/  MAKERS OF CHAOS....                              _/_/   i u
      _/_/_/_/_/ LOOK FOR IT IN A NEIGHBORHOOD NEAR YOU_/_/_/_/_/    g s
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Sun Aug 31 23:17:11 2003

This archive was generated by hypermail 2.1.8 : Sun Aug 31 2003 - 23:17:18 CDT