Re: Initial thoughts on technical design

From: Douglas W_dot_ Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Wed Jul 30 2003 - 13:37:25 CDT

> | 1. When a machine is "initialized" at the beginning of the voting
> | period, it generates a private key (priv) using a symmetric
> | encryption algorithm like AES.
>
> I think a misphrased this. AES or the like does not itself generate the
> key. Something like the Python rand module does than. I meant "for use
> with a symmetric algorithm" or something like that.

Until we have a real security model with a decent threat
analysis, we're premature to commit to a particular model
of key management or generation.

In terms of methodology for this kind of things, first you
design the system for functionality, then you identify
the objects (both code and data) that must interact in the
system, do a threat analysis, and then install appropriate
additional fields (keys, checksums) and appropriate filters
(encrypt, compute checksum, etc).

Of course, our first hack can include first-hack solutions
to this, but those are just guesses! Many of them will be
correct, some will be ineffective (and should be eliminated
from the product because they only obscure what is really
happening).

As to standards, I agree that it's safe to play loose with
standards in a prototype, but in the end, we must either
argue that the standards should be changed or conform to them.
Unfortunately, once the standards are law (and for voting
systems, the 2002 standards have been enacted into the state
laws of most states) we're stuck with them even when they
are law, even when they are stupid.

The same could become true of the OASIS proposals for voting
system data encoding. I don't think highly of XML and company,
but it's highly likely that OASIS will end up proposing a
standard that will be written by citation into the next
generation of the voting system standards by the IEEE (which
has picked up the ball with the next round of changes to the
2002 standard), and when this happens, vendors will be stuck
conforming to the OASIS standard whether they like it or not.

That means: 1) For those with time on their hands, it's a good
idea to read the current draft of the IEEE standard and comment
on it, particularly those who are IEEE members and can vote
on it. 2) Someone's got to find out what's the status of the
OASIS standard! Are there drafts out yet that can be
commented on?

                                Doug Jones
                                jones@cs.uiowa.edu
Received on Wed, 30 Jul 2003 13:37:25 -0500

This archive was generated by hypermail 2.1.8 : Wed Aug 06 2003 - 12:50:26 CDT