KISS

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Tue May 03 2005 - 13:58:37 CDT

On May 3, 2005, at 2:25 PM, Jim March wrote:
> 1) The average voter won't understand the principle behind their "key".
> 2) The county elections department computer techs won't either,
> I would strongly recommend a more KISS approach...

I'm 100% with Jim here. KISS is central.

I've remarked frequently before that this is what's wrong with the
VoteHere approach (even if they were to genuinely open the code, rather
than hide behind pseudo-open NDAs and the like). People with PhD's in
the right field of math might well by happy with all the "provable"
properties of fancy N-of-M and knapsack algorithms, zero-knowledge
proofs, and all that stuff. I know more about that stuff than most
people--probably more than most people with math or CS PhD's, in
fact--but I still don't know quite enough to *really* understand the
ins-and-outs of VoteHere type stuff.

In fact, for this same reason, I'm a lot less enamored with a PKI
system for authentication of ballots definitions, software, cast votes,
and whatnot. I understand what public-key infrastructure and
webs-of-trust are about. But elections departments don't. And average
voters do still less.

So let's say we have this rigorous system about who signs and co-signs
what pieces of code and data, and who vouches for whose key, and all
that. Some smart OVCers like Arthur Keller, Liam Helmer and Keith
Copenhagen have developed various details about how this might work.
They're all right on the math and the tech. But ultimately, it comes
down to two possible outcomes:

(1) The elections workers don't understand what's going on, and fail to
check the right signatures and so on.
(2) The elections workers don't understand what's going on, but
nonetheless follow the checking instructions; and then have no idea
what they have or have not established.

I guess #2 is a little better than #1, but neither is all the great.

On the other hand, the system I outlined as a chronology uses
exclusively cryptographic hashes. I recognize that the underlying
design of those is also a bit mysterious. But the general concept is
one (and only needs to be one concept) that I can explain to a smart 12
y.o. The steps that each party needs to perform in my chronology can
be explicitly documented, and generally understood by the people
involved in the step. SHA-1 is the "simplest thing that can possibly
work", but it's not too simple to accomplish what needs to be
accomplished (i.e. detect tampering). Of course, that's not to say
that we don't also physically monitor materials that are moved around,
allow neutral observers, and so on.

Yours, David...

-----
If I seem shortsighted to you, it is only because I have stood on the
backs of midgets.

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Tue May 31 23:17:14 2005

This archive was generated by hypermail 2.1.8 : Tue May 31 2005 - 23:17:52 CDT