Re: Election status
On Wed, Apr 03, 2002 at 02:27:28PM -0600, Manoj Srivastava wrote: Sven == Sven [EMAIL PROTECTED] writes: Sven Was this md5sum not supposed to be sent in the aknowledgement ``Supposed'' to be? I don't think that it was decided to modify the vote system, no. The best I recall is some discussion last year about secret ballot protocols, but that is as far as it went. Well, i did not yet receive any kind of aknowledgement for my vote, but as i understood, it should contain some kind of id or something which i can use to check that the voting script did its job right. And the problem is not so much to check that there is not some evil intention on the vote-master's part or something such, just to check that the voting script did not misfire. Sven mail of the ballot, so it would only be comparing two md5sums, Sven quite easy to do. Two cutpastes should do the job, nothing Sven arcane involved here ? And, of course, you then lose the benefit of having the md5sums, since I could slip the same md5sum to more than one person. I guess it would still be a deterrent, since I would never know who all did not really check the md5sum. Yes, sure, but that is the real problem. Is it really that hard to run md5sum? Can we really survive as a project if the developers feel that way? Allow me to demonstrate. (Note: since my userid is srivasta, and if my secret token was 0123456789ABXDE, then i get: - % echo srivasta 0123456789ABXDE | md5sum f305c07513500e690a7f98f10c52a7fc -- I can even do this: % egrep $(echo srivasta 0123456789ABXDE | md5sum) tally.txt and see that my vote is valid. Ok, no problem, The difficulty is that we are speaking about id + vote + secret word, and that the way of concatenating them is not clear. There would be a difference between : % echo srivasta 0123456789ABXDE | md5sum f305c07513500e690a7f98f10c52a7fc and % echo srivasta0123456789ABXDE | md5sum 3fd531504123df0165a3be23f4d8a33d Now, what about the vote part, should i use the whole text of my signed ballot, the unsigned version, (which will yield a multiline text part to md5sum) or a simple shortcut thereof. Or maybe we should forget about this part ? How hard was that? I guess I'll change the ack to put i a command line. I am not going to ship the md5sum in the ack, so there. The main problem here is what exactly we are to md5sum, not the fact that we shall md5sum something. Friendly, Sven Luther -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Sven == Sven [EMAIL PROTECTED] writes: Sven Well, i did not yet receive any kind of aknowledgement for my Sven vote, but as i understood, it should contain some kind of id or Sven something which i can use to check that the voting script did Sven its job right. I suspect you have gotten the ack now. Sven And the problem is not so much to check that there is not some Sven evil intention on the vote-master's part or something such, Sven just to check that the voting script did not misfire. And now you know what your vote was parsed to be. Sven The difficulty is that we are speaking about id + vote + secret Sven word, and that the way of concatenating them is not clear. And you also now know that the ack said specifically what command line to use: % echo sven 0123456789ABCDE | md5sum This instruction shall also be repeated on the final tally sheet. Sven The main problem here is what exactly we are to md5sum, not the Sven fact that we shall md5sum something. The main problem is that you are not giving anyone but yourself any credit for intelligence. manoj -- I will make no bargains with terrorist hardware. Peter da Silva Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Wed, Apr 03, 2002 at 02:27:28PM -0600, Manoj Srivastava wrote: Sven == Sven [EMAIL PROTECTED] writes: Sven Was this md5sum not supposed to be sent in the aknowledgement ``Supposed'' to be? I don't think that it was decided to modify the vote system, no. The best I recall is some discussion last year about secret ballot protocols, but that is as far as it went. Well, i did not yet receive any kind of aknowledgement for my vote, but as i understood, it should contain some kind of id or something which i can use to check that the voting script did its job right. And the problem is not so much to check that there is not some evil intention on the vote-master's part or something such, just to check that the voting script did not misfire. Sven mail of the ballot, so it would only be comparing two md5sums, Sven quite easy to do. Two cutpastes should do the job, nothing Sven arcane involved here ? And, of course, you then lose the benefit of having the md5sums, since I could slip the same md5sum to more than one person. I guess it would still be a deterrent, since I would never know who all did not really check the md5sum. Yes, sure, but that is the real problem. Is it really that hard to run md5sum? Can we really survive as a project if the developers feel that way? Allow me to demonstrate. (Note: since my userid is srivasta, and if my secret token was 0123456789ABXDE, then i get: - % echo srivasta 0123456789ABXDE | md5sum f305c07513500e690a7f98f10c52a7fc -- I can even do this: % egrep $(echo srivasta 0123456789ABXDE | md5sum) tally.txt and see that my vote is valid. Ok, no problem, The difficulty is that we are speaking about id + vote + secret word, and that the way of concatenating them is not clear. There would be a difference between : % echo srivasta 0123456789ABXDE | md5sum f305c07513500e690a7f98f10c52a7fc and % echo srivasta0123456789ABXDE | md5sum 3fd531504123df0165a3be23f4d8a33d Now, what about the vote part, should i use the whole text of my signed ballot, the unsigned version, (which will yield a multiline text part to md5sum) or a simple shortcut thereof. Or maybe we should forget about this part ? How hard was that? I guess I'll change the ack to put i a command line. I am not going to ship the md5sum in the ack, so there. The main problem here is what exactly we are to md5sum, not the fact that we shall md5sum something. Friendly, Sven Luther -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Sven == Sven [EMAIL PROTECTED] writes: Sven Well, i did not yet receive any kind of aknowledgement for my Sven vote, but as i understood, it should contain some kind of id or Sven something which i can use to check that the voting script did Sven its job right. I suspect you have gotten the ack now. Sven And the problem is not so much to check that there is not some Sven evil intention on the vote-master's part or something such, Sven just to check that the voting script did not misfire. And now you know what your vote was parsed to be. Sven The difficulty is that we are speaking about id + vote + secret Sven word, and that the way of concatenating them is not clear. And you also now know that the ack said specifically what command line to use: % echo sven 0123456789ABCDE | md5sum This instruction shall also be repeated on the final tally sheet. Sven The main problem here is what exactly we are to md5sum, not the Sven fact that we shall md5sum something. The main problem is that you are not giving anyone but yourself any credit for intelligence. manoj -- I will make no bargains with terrorist hardware. Peter da Silva Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Wed, Apr 03, 2002 at 07:49:37PM -0600, Manoj Srivastava wrote: Andrew == Andrew Pimlott [EMAIL PROTECTED] writes: Andrew How about: Andrew - When you vote, you additionally generate a random id and submit it Andrewwith the vote. Andrew - In the vote list, the secretary publishes the id next to the vote. Andrew You can still verify your vote, but you have no way to prove that you Andrew chose a particular id, so you can't convince anyone that a particular Andrew vote is yours. This is in no way better than the scheme we have coded and working right now. If someone can force you to give up your token, they can force you to divulge your random id; and if the id is next to the vote, you are sunk (The trick is, of course, that I'll get your ID from you before the vote tally sheet is published, so you can't fake it). I grant you that it is susceptible to someone who gets to you before the vote. This seems very hard to defend: the enemy can just insist that you send him your signed vote, and let him submit it. To beat this, you would have to be able to revoke the coerced vote in a way that makes the enemy think the vote he sent was counted, but makes you certain that yours was counted and his was not. Too hard for me. I think my scheme has the (slight?) advantage that it is not susceptible to someone who gets to you after the vote. The existing scheme allows you to prove (willingly) your vote to someone you meet after the vote. And, it allows an enemy who gets to you after the vote to coerce you to reveal your vote--unless you can convince him that you have destroyed and forgotten your confirmation message. (BTW, I'm not suggesting you change the scheme. Just exploring ideas.) In one way it is worse: What if 50 people choose Mickey Flood as their randomg ID? Obviously, the server rejects duplicate id's (and forces the voter to resubmit). Ok, there is a slight problem: if the secretary is crooked, and two people submit the same id and the same vote, he can forge a vote. But if people are told to choose their id's randomly, the chance can be made negligible. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Thu, Apr 04, 2002 at 10:10:39AM -0500, Andrew Pimlott wrote: I grant you that it is susceptible to someone who gets to you before the vote. This seems very hard to defend: the enemy can just insist that you send him your signed vote, and let him submit it. To beat this, you would have to be able to revoke the coerced vote in a way that makes the enemy think the vote he sent was counted, but makes you certain that yours was counted and his was not. Too hard for me. Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. Obviously, the server rejects duplicate id's (and forces the voter to resubmit). Ok, there is a slight problem: if the secretary is crooked, and two people submit the same id and the same vote, he can forge a vote. But if people are told to choose their id's randomly, the chance can be made negligible. It's trivial for Debian users to generate high quality 128 bit random numbers, so it's also trivial to avoid collisions with something so near to certainty it's not worth worrying about. Cheers, aj -- Anthony Towns [EMAIL PROTECTED] http://azure.humbug.org.au/~aj/ I don't speak for anyone save myself. GPG signed mail preferred. Vote [1] Bdale! msg01667/pgp0.pgp Description: PGP signature
Re: Election status
On Fri, Apr 05, 2002 at 01:44:13AM +1000, Anthony Towns wrote: On Thu, Apr 04, 2002 at 10:10:39AM -0500, Andrew Pimlott wrote: I grant you that it is susceptible to someone who gets to you before the vote. This seems very hard to defend: the enemy can just insist that you send him your signed vote, and let him submit it. To beat this, you would have to be able to revoke the coerced vote in a way that makes the enemy think the vote he sent was counted, but makes you certain that yours was counted and his was not. Too hard for me. Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. But he will see that his vote wasn't counted, and punish you. How can you foil him, without him knowing you foiled him? Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Thu, Apr 04, 2002 at 10:59:51AM -0500, Andrew Pimlott wrote: On Fri, Apr 05, 2002 at 01:44:13AM +1000, Anthony Towns wrote: On Thu, Apr 04, 2002 at 10:10:39AM -0500, Andrew Pimlott wrote: I grant you that it is susceptible to someone who gets to you before the vote. This seems very hard to defend: the enemy can just insist that you send him your signed vote, and let him submit it. To beat this, you would have to be able to revoke the coerced vote in a way that makes the enemy think the vote he sent was counted, but makes you certain that yours was counted and his was not. Too hard for me. Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. But he will see that his vote wasn't counted, and punish you. How can you foil him, without him knowing you foiled him? How will he see that, exactly? There weren't any tallies posted at the end to let people verify things, and every correctly formatted, signed vote gets an ack, whether it actually gets counted or not. Getting both verifiability and deniability is difficult. Getting one or the other is quite possible, though, which was the point of the above. Cheers, aj -- Anthony Towns [EMAIL PROTECTED] http://azure.humbug.org.au/~aj/ I don't speak for anyone save myself. GPG signed mail preferred. Vote [1] Bdale! msg01670/pgp0.pgp Description: PGP signature
Re: Election status
On Fri, Apr 05, 2002 at 03:07:56AM +1000, Anthony Towns wrote: On Thu, Apr 04, 2002 at 10:59:51AM -0500, Andrew Pimlott wrote: But he will see that his vote wasn't counted, and punish you. How can you foil him, without him knowing you foiled him? How will he see that, exactly? There weren't any tallies posted at the end to let people verify things, and every correctly formatted, signed vote gets an ack, whether it actually gets counted or not. Maybe I missed something. Aren't you publicly posting the list of votes at the end, each with some token that allows the voter to verify his vote? The overriden vote won't be on the list. Getting both verifiability and deniability is difficult. Getting one or the other is quite possible, though, which was the point of the above. I have been assuming that you aren't willing to give up verifiability, and trying for some measure of deniability in addition. I think the scheme I suggested achieves this, as long as the enemy doesn't get to you before the vote. (If he does, you can still deny that you cast any particular vote, but you can't deny that you did not cast your vote with the id he told you to use.) Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Thu, 2002-04-04 at 10:44, Anthony Towns wrote: Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. Yes, but how do you then allow someone to verify correct counting of the votes. If you drop the bully's vote from the list of counted votes, he'll be very ticked when he doesn't see the ID number there; if you don't drop it, how is someone other than the secretary to count the votes? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Hi ya cunning election frisbee-ers ! Do you think it is important that the vote-results webpage correctly shows coerced votes ? If a voter can be coerced to vote for someone she doesnt want to vote for, then she can be coerced to put a hard-to-find remote exploit in a package she maintains ! The correct response to coercion would be a confidential mail to dpl, i think. It is within dpl's competence to correct the outcome of a voting, if that outcome was caused by coercion. (eg by rounding up 3 non-voters, asking 2 of them to vote on the candidates that the coerced voter didnt vote for, and asking the third to vote on the candidate the coercee wanted to vote for.) (interesting frisbeeing topic, dont you think :-) P.S. Manoj never let out that Asterix voted for Raphael ! have fun ! Siward -- Ridiculous thought : Streaming video in Debian manpages. Hahaha, they dont even have color ! (-:-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Thu, 04 Apr 2002, Siward de Groot wrote: P.S. Manoj never let out that Asterix voted for Raphael ! While we're at it, it would be pretty cool to have a voting protocol where no one, not even the secretary, can find out other peoples' votes. Is such a thing possible? yours, peter This is not to say that I don't trust our current secretary, Manoj did a great job so far. Thanks a lot. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ msg01676/pgp0.pgp Description: PGP signature
Re: Election status
On Thu, 2002-04-04 at 17:04, Peter Palfrader wrote: While we're at it, it would be pretty cool to have a voting protocol where no one, not even the secretary, can find out other peoples' votes. Is such a thing possible? Yes. See, for example, my followup to the vote verification thread. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Thu, Apr 04, 2002 at 02:38:21PM -0500, Anthony DeRobertis wrote: On Thu, 2002-04-04 at 10:44, Anthony Towns wrote: Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. Yes, but how do you then allow someone to verify correct counting of the votes. Like I've said a few times, I'm not convinced it's possible to setup a voting system that: (a) doesn't provide receipts you can use to prove who you voted for (b) allows you to verify your vote was counted correctly (c) allows you to change your vote Look back through the thread for some approaches at avoiding two out of three of those. You'd have to research the literature if you wanted to find a more convincing answer about doing all three. You'll note that real life secret ballots only provide (a) and the first few DPL elections provided (c) with some attempt at (a), and last year's provided (b) and (c). Cheers, aj -- Anthony Towns [EMAIL PROTECTED] http://azure.humbug.org.au/~aj/ I don't speak for anyone save myself. GPG signed mail preferred. ``BAM! Science triumphs again!'' -- http://www.angryflower.com/vegeta.gif msg01681/pgp0.pgp Description: PGP signature
Re: Election status
Anthony == Anthony Towns [EMAIL PROTECTED] writes: Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. But he will see that his vote wasn't counted, and punish you. How can you foil him, without him knowing you foiled him? Anthony How will he see that, exactly? There weren't any tallies Anthony posted at the end to let people verify things, and every Anthony correctly formatted, signed vote gets an ack, whether it Anthony actually gets counted or not. Well, this year tally sheets shall indeed be presented, so that shan't work. If someone is indeed being coerced, please send me (or a DPL candidate other than the one you are being forced to vote for, or all of us) a signed message stating that. We'll see what can be done. manoj -- There are no children to take refuge in them, no father or any other relative. When a man is seized by that terminator, Death, there is no taking refuge in family. 288 Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Wed, Apr 03, 2002 at 07:49:37PM -0600, Manoj Srivastava wrote: Andrew == Andrew Pimlott [EMAIL PROTECTED] writes: Andrew How about: Andrew - When you vote, you additionally generate a random id and submit it Andrewwith the vote. Andrew - In the vote list, the secretary publishes the id next to the vote. Andrew You can still verify your vote, but you have no way to prove that you Andrew chose a particular id, so you can't convince anyone that a particular Andrew vote is yours. This is in no way better than the scheme we have coded and working right now. If someone can force you to give up your token, they can force you to divulge your random id; and if the id is next to the vote, you are sunk (The trick is, of course, that I'll get your ID from you before the vote tally sheet is published, so you can't fake it). I grant you that it is susceptible to someone who gets to you before the vote. This seems very hard to defend: the enemy can just insist that you send him your signed vote, and let him submit it. To beat this, you would have to be able to revoke the coerced vote in a way that makes the enemy think the vote he sent was counted, but makes you certain that yours was counted and his was not. Too hard for me. I think my scheme has the (slight?) advantage that it is not susceptible to someone who gets to you after the vote. The existing scheme allows you to prove (willingly) your vote to someone you meet after the vote. And, it allows an enemy who gets to you after the vote to coerce you to reveal your vote--unless you can convince him that you have destroyed and forgotten your confirmation message. (BTW, I'm not suggesting you change the scheme. Just exploring ideas.) In one way it is worse: What if 50 people choose Mickey Flood as their randomg ID? Obviously, the server rejects duplicate id's (and forces the voter to resubmit). Ok, there is a slight problem: if the secretary is crooked, and two people submit the same id and the same vote, he can forge a vote. But if people are told to choose their id's randomly, the chance can be made negligible. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Thu, Apr 04, 2002 at 10:10:39AM -0500, Andrew Pimlott wrote: I grant you that it is susceptible to someone who gets to you before the vote. This seems very hard to defend: the enemy can just insist that you send him your signed vote, and let him submit it. To beat this, you would have to be able to revoke the coerced vote in a way that makes the enemy think the vote he sent was counted, but makes you certain that yours was counted and his was not. Too hard for me. Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. Obviously, the server rejects duplicate id's (and forces the voter to resubmit). Ok, there is a slight problem: if the secretary is crooked, and two people submit the same id and the same vote, he can forge a vote. But if people are told to choose their id's randomly, the chance can be made negligible. It's trivial for Debian users to generate high quality 128 bit random numbers, so it's also trivial to avoid collisions with something so near to certainty it's not worth worrying about. Cheers, aj -- Anthony Towns [EMAIL PROTECTED] http://azure.humbug.org.au/~aj/ I don't speak for anyone save myself. GPG signed mail preferred. Vote [1] Bdale! pgpf05l18fkef.pgp Description: PGP signature
Re: Election status
On Fri, Apr 05, 2002 at 01:44:13AM +1000, Anthony Towns wrote: On Thu, Apr 04, 2002 at 10:10:39AM -0500, Andrew Pimlott wrote: I grant you that it is susceptible to someone who gets to you before the vote. This seems very hard to defend: the enemy can just insist that you send him your signed vote, and let him submit it. To beat this, you would have to be able to revoke the coerced vote in a way that makes the enemy think the vote he sent was counted, but makes you certain that yours was counted and his was not. Too hard for me. Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. But he will see that his vote wasn't counted, and punish you. How can you foil him, without him knowing you foiled him? Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Thu, Apr 04, 2002 at 10:59:51AM -0500, Andrew Pimlott wrote: On Fri, Apr 05, 2002 at 01:44:13AM +1000, Anthony Towns wrote: On Thu, Apr 04, 2002 at 10:10:39AM -0500, Andrew Pimlott wrote: I grant you that it is susceptible to someone who gets to you before the vote. This seems very hard to defend: the enemy can just insist that you send him your signed vote, and let him submit it. To beat this, you would have to be able to revoke the coerced vote in a way that makes the enemy think the vote he sent was counted, but makes you certain that yours was counted and his was not. Too hard for me. Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. But he will see that his vote wasn't counted, and punish you. How can you foil him, without him knowing you foiled him? How will he see that, exactly? There weren't any tallies posted at the end to let people verify things, and every correctly formatted, signed vote gets an ack, whether it actually gets counted or not. Getting both verifiability and deniability is difficult. Getting one or the other is quite possible, though, which was the point of the above. Cheers, aj -- Anthony Towns [EMAIL PROTECTED] http://azure.humbug.org.au/~aj/ I don't speak for anyone save myself. GPG signed mail preferred. Vote [1] Bdale! pgpc8vY1Z911j.pgp Description: PGP signature
Re: Election status
On Fri, Apr 05, 2002 at 03:07:56AM +1000, Anthony Towns wrote: On Thu, Apr 04, 2002 at 10:59:51AM -0500, Andrew Pimlott wrote: But he will see that his vote wasn't counted, and punish you. How can you foil him, without him knowing you foiled him? How will he see that, exactly? There weren't any tallies posted at the end to let people verify things, and every correctly formatted, signed vote gets an ack, whether it actually gets counted or not. Maybe I missed something. Aren't you publicly posting the list of votes at the end, each with some token that allows the voter to verify his vote? The overriden vote won't be on the list. Getting both verifiability and deniability is difficult. Getting one or the other is quite possible, though, which was the point of the above. I have been assuming that you aren't willing to give up verifiability, and trying for some measure of deniability in addition. I think the scheme I suggested achieves this, as long as the enemy doesn't get to you before the vote. (If he does, you can still deny that you cast any particular vote, but you can't deny that you did not cast your vote with the id he told you to use.) Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Thu, 2002-04-04 at 10:44, Anthony Towns wrote: Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. Yes, but how do you then allow someone to verify correct counting of the votes. If you drop the bully's vote from the list of counted votes, he'll be very ticked when he doesn't see the ID number there; if you don't drop it, how is someone other than the secretary to count the votes? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Hi ya cunning election frisbee-ers ! Do you think it is important that the vote-results webpage correctly shows coerced votes ? If a voter can be coerced to vote for someone she doesnt want to vote for, then she can be coerced to put a hard-to-find remote exploit in a package she maintains ! The correct response to coercion would be a confidential mail to dpl, i think. It is within dpl's competence to correct the outcome of a voting, if that outcome was caused by coercion. (eg by rounding up 3 non-voters, asking 2 of them to vote on the candidates that the coerced voter didnt vote for, and asking the third to vote on the candidate the coercee wanted to vote for.) (interesting frisbeeing topic, dont you think :-) P.S. Manoj never let out that Asterix voted for Raphael ! have fun ! Siward -- Ridiculous thought : Streaming video in Debian manpages. Hahaha, they dont even have color ! (-:-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Thu, 04 Apr 2002, Siward de Groot wrote: P.S. Manoj never let out that Asterix voted for Raphael ! While we're at it, it would be pretty cool to have a voting protocol where no one, not even the secretary, can find out other peoples' votes. Is such a thing possible? yours, peter This is not to say that I don't trust our current secretary, Manoj did a great job so far. Thanks a lot. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgperEcgJOfpl.pgp Description: PGP signature
Re: Election status
On Thu, 2002-04-04 at 17:04, Peter Palfrader wrote: While we're at it, it would be pretty cool to have a voting protocol where no one, not even the secretary, can find out other peoples' votes. Is such a thing possible? Yes. See, for example, my followup to the vote verification thread. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Thu, Apr 04, 2002 at 02:38:21PM -0500, Anthony DeRobertis wrote: On Thu, 2002-04-04 at 10:44, Anthony Towns wrote: Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. Yes, but how do you then allow someone to verify correct counting of the votes. Like I've said a few times, I'm not convinced it's possible to setup a voting system that: (a) doesn't provide receipts you can use to prove who you voted for (b) allows you to verify your vote was counted correctly (c) allows you to change your vote Look back through the thread for some approaches at avoiding two out of three of those. You'd have to research the literature if you wanted to find a more convincing answer about doing all three. You'll note that real life secret ballots only provide (a) and the first few DPL elections provided (c) with some attempt at (a), and last year's provided (b) and (c). Cheers, aj -- Anthony Towns [EMAIL PROTECTED] http://azure.humbug.org.au/~aj/ I don't speak for anyone save myself. GPG signed mail preferred. ``BAM! Science triumphs again!'' -- http://www.angryflower.com/vegeta.gif pgpCsgFQuMOxd.pgp Description: PGP signature
Re: Election status
Anthony == Anthony Towns aj@azure.humbug.org.au writes: Actually, it's pretty easy. As part of the vote, you have an order id, and whichever of these is highest, no matter what order the votes were received in, is accepted. So you give the bully the vote he wants, with `one bazillion' in the order field, and then submit the vote you really wanted with `one bazillion and one' in the order field. You need to be careful with your acks and naks in this case though. But he will see that his vote wasn't counted, and punish you. How can you foil him, without him knowing you foiled him? Anthony How will he see that, exactly? There weren't any tallies Anthony posted at the end to let people verify things, and every Anthony correctly formatted, signed vote gets an ack, whether it Anthony actually gets counted or not. Well, this year tally sheets shall indeed be presented, so that shan't work. If someone is indeed being coerced, please send me (or a DPL candidate other than the one you are being forced to vote for, or all of us) a signed message stating that. We'll see what can be done. manoj -- There are no children to take refuge in them, no father or any other relative. When a man is seized by that terminator, Death, there is no taking refuge in family. 288 Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Tue, Apr 02, 2002 at 10:02:56PM -0600, Manoj Srivastava wrote: Drake == Drake Diedrich [EMAIL PROTECTED] writes: Drake Easier for the voter to verify that it's the right md5sum for Drake the loginid+vote+token? Otherwise only those intimately We have actual developers who think taking a md5sum is arcane? I suppose if a simple command line invocation is too much for one, one does not really care about ones vote. However, since I shall never be sure who exactly is going to be that lazy (or incompetent, if they find md5sum invocations beyond their grasp), so it shall likely be a deterrent against vote stuffing. Was this md5sum not supposed to be sent in the aknowledgement mail of the ballot, so it would only be comparing two md5sums, quite easy to do. Two cutpastes should do the job, nothing arcane involved here ? Friendly, Sven Luther -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Pete == Pete Ryland [EMAIL PROTECTED] Pete Instead of token, why not just use the message-id of the Pete voter's email? Because the Message-ID contains identifying material. Look at the References field above -- you'll find enough information that you could identify the originator of several of those messages without very much work. CMC +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Man cannot be civilised, or be kept civilised by what he does in his spare time; only by what he does as his work. W.R. Lethaby +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ C.M. Connelly [EMAIL PROTECTED] SHC, DS +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Wed, 2002-04-03 at 14:57, Pete Ryland wrote: And what does that buy us over md5sum(loginid + vote + token)? Instead of token, why not just use the message-id of the voter's email? Well, your message ID is: [EMAIL PROTECTED] || ^^^ || date ^^?^^ time domain That ? is probably derived from the date or time. Or maybe pid. Not sure; don't feal like reading exim and/or mutt source. I know the vote; it's to the left of the key. I know the possible user id's. I have some good guesses as to date/time (only a couple week window, after all). I know which domain matches which user id. Now I can brute force that last unknown: Which vote belongs to which person. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Wed, Apr 03, 2002 at 03:17:13PM -0500, Anthony DeRobertis wrote: On Wed, 2002-04-03 at 14:57, Pete Ryland wrote: And what does that buy us over md5sum(loginid + vote + token)? Instead of token, why not just use the message-id of the voter's email? Well, your message ID is: [EMAIL PROTECTED] || ^^^ || date ^^?^^ time domain That ? is probably derived from the date or time. Or maybe pid. Not sure; don't feal like reading exim and/or mutt source. I know the vote; it's to the left of the key. I know the possible user id's. I have some good guesses as to date/time (only a couple week window, after all). I know which domain matches which user id. Now I can brute force that last unknown: Which vote belongs to which person. In addition, you don't even necessarily get protection against MITM attacks, since the Message-ID will not be part of the PGP-signed message content in most cases. Using this as the identifying token would be a step backwards in comparison with a server-generated token. (Note that you could check for message-id collisions on the server, and probably detect most attacks, but then you still either have to generate a token on the server side to replace it or invalidate the vote.) Steve Langasek postmodern programmer msg01655/pgp0.pgp Description: PGP signature
Re: Election status
Pete == Pete Ryland [EMAIL PROTECTED] writes: Pete Instead of token, why not just use the message-id of the voter's email? These are the last 15 mesage ID's generated by my MUA: Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Notice a pattern? Guess how hard would it be to determine which vote was mine, given access to Debian mailing list archives? manoj -- Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN. Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
[ I just saw this in DWN. ]
Anthony Towns mailto:[EMAIL PROTECTED] wrote:
On the downside, this allows people to use that info to go up to whoever
they voted for and say Look, see, I did vote for you {give me that wad of
cash you promised,don't beat me up}, which is theoretically undesirable,
but harder to fix. It's possible that you can only choose at most two of
making it impossible for the secretary to stack votes, voters being unable
to prove who they voted for to candidates, and being able to change your
vote/not know who's winning the vote 'til it's over.
How about:
- When you vote, you additionally generate a random id and submit it
with the vote.
- In the vote list, the secretary publishes the id next to the vote.
You can still verify your vote, but you have no way to prove that you
chose a particular id, so you can't convince anyone that a particular
vote is yours.
A separate matter: It's important that a sample of developers who
did not vote verify that their names are not on the voter list; and
that someone verify that all of the names on the voter list are
Debian developers.
Andrew
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Andrew == Andrew Pimlott [EMAIL PROTECTED] writes: Andrew How about: Andrew - When you vote, you additionally generate a random id and submit it Andrewwith the vote. Andrew - In the vote list, the secretary publishes the id next to the vote. Andrew You can still verify your vote, but you have no way to prove that you Andrew chose a particular id, so you can't convince anyone that a particular Andrew vote is yours. This is in no way better than the scheme we have coded and working right now. If someone can force you to give up your token, they can force you to divulge your random id; and if the id is next to the vote, you are sunk (The trick is, of course, that I'll get your ID from you before the vote tally sheet is published, so you can't fake it). In one way it is worse: What if 50 people choose Mickey Flood as their randomg ID? In the case of server generated tokens, all tokens are _known_ to be unique. If you go to great lengths to ensure the ID is unique so you can verify it, the person who has forced you to give up the ID can be sure too. Andrew A separate matter: It's important that a sample of developers Andrew who did not vote verify that their names are not on the voter Andrew list; and that someone verify that all of the names on the Andrew voter list are Debian developers. The second shall be easy: The LDAP ID's shall be provided, a simple script can talk to LDAP and get the keys, and verify against the official key rings. manoj -- Ad astra per aspera. [To the stars by aspiration.] Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Siward == Siward de Groot [EMAIL PROTECTED] writes: Siward Howdy Manoj and list ! Siward Manoj Srivastava wrote: Siward P.S. You wrote that Mickey Mouse voted for Bdale, Siwardwasnt that a breach of confidentiality !?! Keep your attributions straight: I never said that. manoj -- Badges? We don't need no stinking badges. Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Tue, Apr 02, 2002 at 07:31:59PM -0300, Gustavo Noronha Silva wrote: [EMAIL PROTECTED] wrote: Przebywam na urlopie do 08.04.2002 /me considers mail-bombing this email address As if that is going to stop his stupid vacation(1)? :) -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Tue, Apr 02, 2002 at 10:02:56PM -0600, Manoj Srivastava wrote: Drake == Drake Diedrich [EMAIL PROTECTED] writes: Drake Easier for the voter to verify that it's the right md5sum for Drake the loginid+vote+token? Otherwise only those intimately We have actual developers who think taking a md5sum is arcane? I suppose if a simple command line invocation is too much for one, one does not really care about ones vote. However, since I shall never be sure who exactly is going to be that lazy (or incompetent, if they find md5sum invocations beyond their grasp), so it shall likely be a deterrent against vote stuffing. Was this md5sum not supposed to be sent in the aknowledgement mail of the ballot, so it would only be comparing two md5sums, quite easy to do. Two cutpastes should do the job, nothing arcane involved here ? Friendly, Sven Luther -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Tue, Apr 02, 2002 at 06:11:41PM -0600, Manoj Srivastava wrote: Siward == Siward de Groot [EMAIL PROTECTED] writes: Siward Anthony Towns wrote: But in any event, the problem with doing it that way is that you need to do it before the vote starts, which we haven't done. Siward not necessarily, Siward secretary could ask for these keywords separately, Siwardand match them to votes by name of voter, Siwardif he had the time. And what does that buy us over md5sum(loginid + vote + token)? Instead of token, why not just use the message-id of the voter's email? Pete -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Sven == Sven [EMAIL PROTECTED] writes: Sven Was this md5sum not supposed to be sent in the aknowledgement ``Supposed'' to be? I don't think that it was decided to modify the vote system, no. The best I recall is some discussion last year about secret ballot protocols, but that is as far as it went. Sven mail of the ballot, so it would only be comparing two md5sums, Sven quite easy to do. Two cutpastes should do the job, nothing Sven arcane involved here ? And, of course, you then lose the benefit of having the md5sums, since I could slip the same md5sum to more than one person. I guess it would still be a deterrent, since I would never know who all did not really check the md5sum. Is it really that hard to run md5sum? Can we really survive as a project if the developers feel that way? Allow me to demonstrate. (Note: since my userid is srivasta, and if my secret token was 0123456789ABXDE, then i get: - % echo srivasta 0123456789ABXDE | md5sum f305c07513500e690a7f98f10c52a7fc -- I can even do this: % egrep $(echo srivasta 0123456789ABXDE | md5sum) tally.txt and see that my vote is valid. How hard was that? I guess I'll change the ack to put i a command line. I am not going to ship the md5sum in the ack, so there. manoj note: anyone who cannot substitute their login if for `srivasta' above, or interpolate their own token, is encouraged to vote again, the new ack shall interpolate them for you. -- Within a computer, natural language is unnatural. Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Pete == Pete Ryland [EMAIL PROTECTED] writes: Pete Instead of token, why not just use the message-id of the voter's email? These are the last 15 mesage ID's generated by my MUA: Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Notice a pattern? Guess how hard would it be to determine which vote was mine, given access to Debian mailing list archives? manoj -- Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN. Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Howdy Manoj and list ! Manoj Srivastava wrote: And what does that buy us over md5sum(loginid + vote + token)? I didnt literally say that it buys us something, so i assume that you are really asking what advantage is in letting voters determine the string which identifies their vote (the token). Compare browsing through a list of asp973497uprupo4p9q34p 's to browsing a list of funny sigs : the latter is more fun ! What makes us so bitter against people who outwit us is that they think themselves cleverer than we are. Nah, you're just imagining that. You could do better than that ; just imitate them ! P.S. You wrote that Mickey Mouse voted for Bdale, wasnt that a breach of confidentiality !?! have fun ! Siward The monkey that doesnt realise he is only half a man, lives happily ever after. Automatic Oversetting is not heavy. Elections are software. It is fun to design them ;lia89745p947g-3q498-347poiep[5-3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Wednesday, April 3, 2002, at 05:33 PM, Siward de Groot wrote: P.S. You wrote that Mickey Mouse voted for Bdale, wasnt that a breach of confidentiality !?! Marvin the Martian voted for Branden, if you care ;-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
[ I just saw this in DWN. ]
Anthony Towns mailto:aj@azure.humbug.org.au wrote:
On the downside, this allows people to use that info to go up to whoever
they voted for and say Look, see, I did vote for you {give me that wad of
cash you promised,don't beat me up}, which is theoretically undesirable,
but harder to fix. It's possible that you can only choose at most two of
making it impossible for the secretary to stack votes, voters being unable
to prove who they voted for to candidates, and being able to change your
vote/not know who's winning the vote 'til it's over.
How about:
- When you vote, you additionally generate a random id and submit it
with the vote.
- In the vote list, the secretary publishes the id next to the vote.
You can still verify your vote, but you have no way to prove that you
chose a particular id, so you can't convince anyone that a particular
vote is yours.
A separate matter: It's important that a sample of developers who
did not vote verify that their names are not on the voter list; and
that someone verify that all of the names on the voter list are
Debian developers.
Andrew
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Andrew == Andrew Pimlott [EMAIL PROTECTED] writes: Andrew How about: Andrew - When you vote, you additionally generate a random id and submit it Andrewwith the vote. Andrew - In the vote list, the secretary publishes the id next to the vote. Andrew You can still verify your vote, but you have no way to prove that you Andrew chose a particular id, so you can't convince anyone that a particular Andrew vote is yours. This is in no way better than the scheme we have coded and working right now. If someone can force you to give up your token, they can force you to divulge your random id; and if the id is next to the vote, you are sunk (The trick is, of course, that I'll get your ID from you before the vote tally sheet is published, so you can't fake it). In one way it is worse: What if 50 people choose Mickey Flood as their randomg ID? In the case of server generated tokens, all tokens are _known_ to be unique. If you go to great lengths to ensure the ID is unique so you can verify it, the person who has forced you to give up the ID can be sure too. Andrew A separate matter: It's important that a sample of developers Andrew who did not vote verify that their names are not on the voter Andrew list; and that someone verify that all of the names on the Andrew voter list are Debian developers. The second shall be easy: The LDAP ID's shall be provided, a simple script can talk to LDAP and get the keys, and verify against the official key rings. manoj -- Ad astra per aspera. [To the stars by aspiration.] Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Siward == Siward de Groot [EMAIL PROTECTED] writes: Siward Howdy Manoj and list ! Siward Manoj Srivastava wrote: Siward P.S. You wrote that Mickey Mouse voted for Bdale, Siwardwasnt that a breach of confidentiality !?! Keep your attributions straight: I never said that. manoj -- Badges? We don't need no stinking badges. Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Sun, Mar 31, 2002 at 02:55:45AM +1000, Anthony Towns wrote: If we're trying to enforce accountability on the secretary, this doesn't work. For example, if say, Bill and Betty both happen to vote the same way (123-, say), then you can mail them both the same keyword (foo), and publish: Another system I saw (many years ago, on fidonet) had the voters submit their own keyword when voting. When the results were published, the vote was published alongside the keyword (but no names). Hamish -- Hamish Moffatt VK3SB [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Previously Hamish Moffatt wrote: Another system I saw (many years ago, on fidonet) had the voters submit their own keyword when voting. When the results were published, the vote was published alongside the keyword (but no names). With a lot of people working on a common project to chances of having multiple people select the same keyword are going to be too high. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Anthony Towns wrote: But in any event, the problem with doing it that way is that you need to do it before the vote starts, which we haven't done. not necessarily, secretary could ask for these keywords separately, and match them to votes by name of voter, if he had the time. have fun ! Siward -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: Election status
Przebywam na urlopie do 08.04.2002 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Tue, 02 Apr 2002 23:32:12 +0200 [EMAIL PROTECTED] wrote: Przebywam na urlopie do 08.04.2002 /me considers mail-bombing this email address []s! -- [EMAIL PROTECTED]: Gustavo Noronha http://people.debian.org/~kov Debian: http://www.debian.org * http://debian-br.cipsga.org.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Tue, Apr 02, 2002 at 06:11:41PM -0600, Manoj Srivastava wrote: And what does that buy us over md5sum(loginid + vote + token)? Easier for the voter to verify that it's the right md5sum for the loginid+vote+token? Otherwise only those intimately familiar with the vote encoding are at all likely to verify their votes - the author alone most likely. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Drake == Drake Diedrich [EMAIL PROTECTED] writes: Drake Easier for the voter to verify that it's the right md5sum for Drake the loginid+vote+token? Otherwise only those intimately We have actual developers who think taking a md5sum is arcane? I suppose if a simple command line invocation is too much for one, one does not really care about ones vote. However, since I shall never be sure who exactly is going to be that lazy (or incompetent, if they find md5sum invocations beyond their grasp), so it shall likely be a deterrent against vote stuffing. Drake familiar with the vote encoding are at all likely to verify Drake their votes - the author alone most likely. Author - for a one liner? I think you are caviling at this proposal, and insulting the vast majority of developers manoj -- The man on tops walks a lonely street; the chain of command is often a noose. Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Sun, Mar 31, 2002 at 02:55:45AM +1000, Anthony Towns wrote: If we're trying to enforce accountability on the secretary, this doesn't work. For example, if say, Bill and Betty both happen to vote the same way (123-, say), then you can mail them both the same keyword (foo), and publish: Another system I saw (many years ago, on fidonet) had the voters submit their own keyword when voting. When the results were published, the vote was published alongside the keyword (but no names). Hamish -- Hamish Moffatt VK3SB [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Previously Hamish Moffatt wrote: Another system I saw (many years ago, on fidonet) had the voters submit their own keyword when voting. When the results were published, the vote was published alongside the keyword (but no names). With a lot of people working on a common project to chances of having multiple people select the same keyword are going to be too high. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Tue, Apr 02, 2002 at 01:33:38PM +0200, Wichert Akkerman wrote: Previously Hamish Moffatt wrote: Another system I saw (many years ago, on fidonet) had the voters submit their own keyword when voting. When the results were published, the vote was published alongside the keyword (but no names). With a lot of people working on a common project to chances of having multiple people select the same keyword are going to be too high. $ dd if=/dev/random bs=128 count=1 2/dev/null | md5sum But in any event, the problem with doing it that way is that you need to do it before the vote starts, which we haven't done. Cheers, aj -- Anthony Towns [EMAIL PROTECTED] http://azure.humbug.org.au/~aj/ I don't speak for anyone save myself. GPG signed mail preferred. Vote [1] Bdale! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Anthony Towns wrote: But in any event, the problem with doing it that way is that you need to do it before the vote starts, which we haven't done. not necessarily, secretary could ask for these keywords separately, and match them to votes by name of voter, if he had the time. have fun ! Siward -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: Election status
Przebywam na urlopie do 08.04.2002 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Siward == Siward de Groot [EMAIL PROTECTED] writes: Siward Anthony Towns wrote: But in any event, the problem with doing it that way is that you need to do it before the vote starts, which we haven't done. Siward not necessarily, Siward secretary could ask for these keywords separately, Siwardand match them to votes by name of voter, Siwardif he had the time. And what does that buy us over md5sum(loginid + vote + token)? manoj -- What makes us so bitter against people who outwit us is that they think themselves cleverer than we are. Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Tue, 02 Apr 2002 23:32:12 +0200 [EMAIL PROTECTED] wrote: Przebywam na urlopie do 08.04.2002 /me considers mail-bombing this email address []s! -- [EMAIL PROTECTED]: Gustavo Noronha http://people.debian.org/~kov Debian: http://www.debian.org * http://debian-br.cipsga.org.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
On Tue, Apr 02, 2002 at 06:11:41PM -0600, Manoj Srivastava wrote: And what does that buy us over md5sum(loginid + vote + token)? Easier for the voter to verify that it's the right md5sum for the loginid+vote+token? Otherwise only those intimately familiar with the vote encoding are at all likely to verify their votes - the author alone most likely. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Election status
Drake == Drake Diedrich [EMAIL PROTECTED] writes: Drake Easier for the voter to verify that it's the right md5sum for Drake the loginid+vote+token? Otherwise only those intimately We have actual developers who think taking a md5sum is arcane? I suppose if a simple command line invocation is too much for one, one does not really care about ones vote. However, since I shall never be sure who exactly is going to be that lazy (or incompetent, if they find md5sum invocations beyond their grasp), so it shall likely be a deterrent against vote stuffing. Drake familiar with the vote encoding are at all likely to verify Drake their votes - the author alone most likely. Author - for a one liner? I think you are caviling at this proposal, and insulting the vast majority of developers manoj -- The man on tops walks a lonely street; the chain of command is often a noose. Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
