Re: code validation?

From: Keith Copenhagen <K_at_copetech_dot_com>
Date: Wed Feb 23 2005 - 00:46:44 CST

Just to toss my thoughts I've already floated in here...

The proof is in the audit.
We can't stop all/most attacks (think suicide bomber, or conterfeit cd
with local election official collusion... ).
What we can do is detect election integrity problems with redundant
logging and data integrity checks.
It's up to the election officials & courts to triage any problems and

You can build a traceable audit trail based on PKI signed logs, you can
have a very high barrier to attack by
making the logs redundant.

Imagine an OVC distribution CD, with
(1) a known fingerprint (file hash / full verify).
(2) a complete copy of the OVC toolchain, including
      a self-verify mechanism (say at boot time)
      a self-duplication mechanism (allowing addition of election specific
data files to the self-verify.
      a delegation-of-authority distributed database (a list of PKI public
keys, signed by other private keys).
      redundant logging mechanisms (human readable / signed by operators

Then for an election :
   The top trusted election offical (SoS)
   Verifies the OVC distribution CD against the published OVC hash
   Initializes the delegation of authority database (DB) and creates SoS
private key.
      Private keys are stored on a USB flash drive, (probably with a simple
password protecting it).
   Provides the next round of delegation by creating PKI pairs (public key
in DB, private key on USB flash drives)
      and giving out new CDs with updated DBs.

   This delegation of authority repeats as the toolchain use spreads, out
to tabulation or voting machines.
      All actions are logged on the CD and on the USB flash drives.
(threaded redundancy, CD/tool activity for one
      log trace, User activity for the other).

   Following the election, all the logs are collected from the CDs and USB
flash drives, signatures checked,
      unthreaded and audited. Discrepancies flagged, for example the
number of CDs created will be known
      and can be verified against the number returned.


On Tue, 22 Feb 2005 22:58:12 -0700, Kathy Dopp <>

> Ron Crane wrote:
>> I more or less buy what you're saying so far. But we need to document
>> the procedures thoroughly.
> If OVC has not done so already, would you folks please create a WIKI
> page that tells how to validate voting machine code and give me the URL
> and I'll link to it from a couple of places? Or do you have a WIKI page
> on this code validation topic already?
> (now that Fred McClain taught me what wiki is)
> The general public has "no idea" how difficult it is to verify voting
> machine programs and make sure that the actual programs run on the
> machine are the "disclosed or open source" programs.
> Thanks.
> Kathy
> _______________________________________________
> OVC discuss mailing lists
> Send requests to subscribe or unsubscribe to

Keith Copenhagen
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Sun Feb 27 17:17:11 2005

This archive was generated by hypermail 2.1.8 : Sun Feb 27 2005 - 17:17:13 CST