"OVC Compliant" certification

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Tue May 11 2004 - 13:22:37 CDT

On May 11, 2004, at 2:01 PM, Arthur Keller wrote:
> From OVC's point of view, it's bad to have such competition. However,
> if OVC is unable or unwilling to make those kinds of improvements, is
> it against the public good for OVC to be in competition? There are
> multiple vendors of Linux implementations, aren't there? Is that a
> good thing or a bad thing?

I'm with Arthur here. I like OVC; but I like fair elections even
better. If we got the latter without the former, I wouldn't be
terribly unhappy. But more likely, we'll get the latter -because of-
the former.

There are two "levels" of certification that I envision. OVC should
develop a set of principles and standards that every voting system
should conform to (paper trails, canvassing procedures, data formats,
inspectible source code, etc). Obviously, those standards will need to
be broad enough to also simultaneously be consistent with (most)
jurisdictional rules.

If any given system meets all the standards set forth by OVC, it should
be eligible for an "OVC-Compliant" label. We might require a fee
and/or a corporate-level membership to grant this certification; but we
will not per se demand a compliant system use our reference source
code. Of course, a system that actually does use our reference
components will be a lot closer to meeting standards out of the gates.

The OVC-Compliant mark is not primarily a direct security audit. It
will involve some minimal conditions to allow a proper security audit
to be possible at all, but I don't think OVC will directly certify
lines of code (as opposed to principles and process). Or if it do, it
will be in the "State Certification Department."

States and counties that want to purchase/lease actual systems will
hopefully look for vendors whose system already carry an OVC-Compliant
mark. They'll do so both because they know our principles promote fair
elections, and also because they enable the states/counties to perform
adequate security audits. But once they've narrowed their search to
OVC-Compliant systems, they'll still need to perform their own
certification process on those systems. Hopefully, their process will
be made easier by the OVC prerequisites, but it won't be zero.
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:17:35 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT