Re: hash functions Re: OVC - I "really" need your help with "public disclosure" legislative suggestion

From: Cameron L. Spitzer <cls_at_truffula_dot_sj_dot_ca_dot_us>
Date: Mon Nov 27 2006 - 16:03:15 CST

I'm not concerned with verifying exact copies. Md5sum or gpg
are good enough for me. My concern is the larger process
problem. How to be sure the copy you're verifying is really
the one that was used for the live election. How to be sure
the verification tool you're using (in the Registrar's office?
at a polling place?) hasn't been rigged. If you're allowed
to bring your own tool, then so are your political adversaries.
How to be sure the tool they brought hasn't been rigged
to commit some mischief.

I trust the binaries I get from Debian because there is a
signature chain that goes all the way through the distribution
back to the developers, and there's a process for ejecting
a developer who becomes untrustworthy. But that means I
have to take everybody's word for it all the way up the chain
that the code repositories have been secured by competent
and trustworthy people, and there's no man-in-the-middle
between Debian.org and my local mirror. It's reasonable
because we have a community bound by fairly common values
and a common goal. That condition doesn't exist in
elections, and the incentives for cheating are a lot higher.

Cameron

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Thu Nov 30 23:17:13 2006

This archive was generated by hypermail 2.1.8 : Thu Nov 30 2006 - 23:17:19 CST