>>"Andrew" == Andrew Pimlott <[EMAIL PROTECTED]> writes:
Andrew> How about: Andrew> - When you vote, you additionally generate a random id and submit it Andrew> with the vote. Andrew> - In the vote list, the secretary publishes the id next to the vote. Andrew> You can still verify your vote, but you have no way to prove that you Andrew> chose a particular id, so you can't convince anyone that a particular Andrew> vote is yours. This is in no way better than the scheme we have coded and working right now. If someone can force you to give up your token, they can force you to divulge your random id; and if the id is next to the vote, you are sunk (The trick is, of course, that I'll get your ID from you before the vote tally sheet is published, so you can't fake it). In one way it is worse: What if 50 people choose Mickey Flood as their randomg ID? In the case of server generated tokens, all tokens are _known_ to be unique. If you go to great lengths to ensure the ID is unique so you can verify it, the person who has forced you to give up the ID can be sure too. Andrew> A separate matter: It's important that a sample of developers Andrew> who did not vote verify that their names are not on the voter Andrew> list; and that someone verify that all of the names on the Andrew> voter list are Debian developers. The second shall be easy: The LDAP ID's shall be provided, a simple script can talk to LDAP and get the keys, and verify against the official key rings. manoj -- Ad astra per aspera. [To the stars by aspiration.] Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/%7Esrivasta/> 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]