NIST VVSG2 and split level process

From: David Webber \(XML\) <"David>
Date: Mon Jun 13 2005 - 22:19:45 CDT

I'm pretty ecstatic over page 98 here!

Page 98 in this report is in effect a glowing endorsement for the TLV-style
approach - and points up the deficiencies in the current simple DRE's
approach. They term independent verification systems as the "top level" of
electronic voting systems - and describe the process they use as "a split
process system". This definately applies to the Trusted Logic Voting
processing using OASIS EML 4.0 formats and also to what OVC is

Excellent to see that NIST appreciate the value and need for these
mechanisms and detail the handling that they entail.

State election boards should now be able to determine why these are critical
for meeting the needs of VVPAT systems, not just simply printing out paper
records as some VVPAT designs assume as a minimum.

The only damper of course is that none of this is required on any body.

However - it does open the door to push States into adopting systems
that conform to top level requirements - and not the others!?!


Here's the text from the VVSG2 page 98:

Independent Verification is the top-level categorization for electronic
voting systems that produce multiple records of ballot choices whose
contents are capable of being audited to high levels of precision. For this
to happen, the records must be produced, verified by the voter, and
subsequently handled according to the following protocol:

(a) At least two records of the voter's choices are produced and one of the
records is then stored such that it cannot be modified by the voting system,
e.g. the voting system creates a record of the voter's choices and then
copies it to some write-once media.

(b) The voter must verify that both records are correct, e.g., verify his or
her choices on the voting system's display and also verify the second record
of choices stored on the write-once media.

(c) The verification processes for the two verifications must be independent
of each other and (a) at least one of the records must be verified directly
by the voter, or (b) it is acceptable for the voter to indirectly verify
both records if they are stored on different systems produced by different

(d) The content of the two records can be checked later for consistency
through the use of identifiers that allow the records to be linked.

OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Thu Jun 30 23:17:07 2005

This archive was generated by hypermail 2.1.8 : Thu Jun 30 2005 - 23:17:11 CDT