Proposed OVC Listed Policies, Second Draft

From: Arthur Keller <voting_at_kellers_dot_org>
Date: Sun Jan 21 2007 - 20:59:18 CST

At its October 20, 2006 meeting, the OVC Board voted unanimously to
create "an OVC listed mark that is to be given solely on the nature
of the disclosure, type of license, and vendor attestations." The
OVC is to publish the disclosure, license, and vendor attestations on
its websites. Details about the requirements of what is to be
disclosed and under what licenses and what vendor attestations were
to be posted to the OVC discuss list subsequently. Further
discussions took place at the November 17, 2006 OVC Board meeting.
Feedback was received from readers of the OVC discussion list. The
following proposal reflects these discussions.

The "OVC Listed" mark indicates that the source, documentation,
license, etc., of an electronic voting system are publicly disclosed
on an OVC-sponsored website.

Definition: A component is considered COTS (Commercial-Off-The-Shelf)
if it is (1) general purpose (e.g., operating system software,
hardware driver, or database system), (2) not modified, configured,
or customized in any manner for voting use, (3) available for sale to
the general public, and (4) allows reverse engineering for voting
system evaluation and testing as well as publication of evaluation
and tests, including but not limited to usability, performance,
errors and bugs.

To apply for an "OVC Listed" mark, the vendor must submit the following items:

1. Inventory of components of system (e.g., electronic ballot
printer, ballot reconciliation system, ballot verification system)
and their version identifiers.
2. Full source code for each voting-specific component of system,
including make files, header files, and configuration files, and any
other file needed to build a complete version of the system (such as
COTS object code below) in a compilable form. Source code for
software COTS (Commercial-Off-The-Shelf) components need not be
included provided that procurement specifications and contracts for
these components is included in the submission for the "OVC Listed"
mark.
3. Object code image for each component of system (including COTS components).
4. Checksums of object code image for each component of system (e.g.,
MD5, etc.; list of required checksums may be updated by OVC from time
to time).
5. Hardware, Software, and System Specifications.
6. Documentation.
7. Internal and external document formats and sample documents (e.g.,
ballot definition files, cast ballot records, vote total records).
8. Hardware dependencies, specifications, and requirements. For COTS
hardware components, the specifications must be sufficient to
determine which component is used, including revision codes, etc.
For custom components, the designs shall be disclosed, and shall be
subject to the license restrictions below. Contracts and
specifications for the design and manufacture of the custom hardware
components shall be disclosed to OVC, including those subsequent to
the application, except that pricing data may be redacted from the
submission.
9. For each Commercial-off-the-shelf (COTS) component (e.g.,
operating system or device or printer drivers), specifications,
version numbers, dates of manufacture. requirements and uses.
10. Feature Checklist (e.g., paper ballot vs. electronic ballot with
paper audit trail; basic architectural type). The Feature Checklist
may be changed by OVC from time to time.
11. License(s) for the system, as per the requirement below.
12. Reports on the results of non-internal tests, such as by
Independent Testing Authorities, Voting System Testing Laboratories,
or acceptance tests by customers.
13. Procurement contracts for purchase, modification, maintenance,
and support of the systems with the "OVC Listed" mark, including
those subsequent to the application.
14. The submission shall include all items herein that are available
at the time of the application for the "OVC Listed" mark. The vendor
shall submit all items not avaiable at the time of the application
for the "OVC Listed" mark within 10 business days of their receipt by
the vendor (or, in the case of contracts, 10 business days of their
execution by the vendor).
14. An attestation that all components and descriptions submitted are
accurate and represent the versions identified.

The Vendor license must allow others also to publish the software
(and custom hardware designs), anyone to test and experiment and
analyze, including publication of analyses including excerpts of
source code. The vendor may retain copyrights, trademark rights, and
patent rights, but not trade secret rights.

OVC will assign an "OVC Listed" identifier, and publish all of the
information submitted (on websites or through other means) with the
identifier. Each configuration/version is a separate submission with
its own "OVC Listed" identifier. Updated versions or configurations
must be resubmitted to be OVC Listed.

If the submission for "OVC Listed" mark includes COTS components
whose source code is not disclosed, then wherever the "OVC Listed"
mark is used for this submission the legend "(COTS Components Not
Disclosed)" shall also appear.

OVC will document the process for submitting a voting system to be
OVC Listed and will provide a contract for the use of the OVC Listed
mark.

-------

Note: Vendors are not required to grant the rights to make derivative
works or derivative systems (other than as part of analyses, tests,
or experiments), and the rights to use the system for elections would
not be required to be granted as part of obtaining an OVC listing.

Note: OVC may charge for listing or make iisting a benefit of certain
classes of membership.

Note: The "OVC Listed" mark does not imply any testing of the voting
system by or for the OVC. The OVC intends subsequently to develop
concepts of open testing,

Note: The OVC may host a website or email list or other mechanism for
reporting problems with voting systems (whether listed or not), or
link to websites maintained by others.

-------

Note: Feedback on this proposal are requested. In particular,
suggestions are requested on what should be in the feature checklist.

Respectfully submitted,
Arthur Keller
OVC Board Secretary

-- 
-------------------------------------------------------------------------------
Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Tue Jan 1 14:12:46 2008

This archive was generated by hypermail 2.1.8 : Tue Jan 01 2008 - 14:12:51 CST