Hi, Norbert Thiebaud wrote: > On Fri, Jun 10, 2011 at 4:07 AM, Michael Meeks <[email protected]> > wrote: >> I strongly suggest we simply copy the GNOME process here; this >> generates a unique random key per person which is mailed out, and used >> instead of a name when voting; thus the voting record can be published, >> and independently analysed while keeping it anonymous (outside of the MC >> that is). > > Just to make sure I understand it correctly: > it is 'anonymous' but each voter know _his_ anonymous token and > therefore can verify that his vote has been recorded accurately, by > cross-checking the published details-values right?
I can explain the mechanism. Before the election, a unique token is generated for every voter, and stored with their email address. This token is mailed out to the voter. Obviously, since these are stored together, there is no anonymity at this point. When I vote, I use my email address and this token to authenticate. Then I'm brought to a page where I can order the candidates in order of preference. On successfully voting, a unique anonymous token is created, and stored in an anonymous token table. This token is used (along with a preference) to identify which candidates I voted for, and in what order. The temporary token associated with the email address is at this point deleted, leaving no way to connect the email address to the anon token. Then we communicate the anonymous token to the voter, and tell him to write it down somewhere so that he can check his vote later. At the end of the election, this does leave us some standard election type stuff you can do: * we can tell whether someone has voted or not (but not how they voted) by checking the temporary auth tokens still left in the database. * We can publish the ballots, identified by the anon token, so anyone can check the results, and check their own ballot, but not how others voted. > and that is the basis of the temper proof mechanism. Yes, basically. There are of course security weak-points here. The first and weakest is the voter's email client: if I gain access to the voter mail, I can vote in the place of someone using their email & token. The second is the database itself: if I can get access to the authentication tokens and the electorate, I can vote for anyone at all. In principle, we can address the first with gpg, but not everyone uploads a pgp key. The latter implies trusting the administrators of the system to be honest. There are ways to encrypt the entire chain with private key cryptography, but for us that would have complicated the voting process for a substantial number of people, and been overkill. > It is incumbent on each member to make sure that he received his token > and that is vote is correctly counted. Yes - we can of course resend tokens, and we announce the tokens have been sent publicly. Until someone votes, we can get & resend the temporary token easily. > (that his make sure that his > email didn't get intercepted somehow, or that the MC did not received > a spoofed email). Yes, this is the weak point, as I said. pgp signed proves providence, but doesn't prevent interception. pgp encryption would do the latter, but not the former. > I think that pgp/gpg-signing these email would remove some possibility > to interfere with the process. You would also need to pgp encrypt the temporary token with the voter's public key to ensure that the election administrator can't vote on behalf of people. > OpenSTV is GPL, but only available for download for a fee. Really? News to me! It wasn't up until OpenSTV 1.6. I'd be happy to share my copy with anyone who needs it. Ooh: I just saw this on the openstv blog: http://www.openstv.org/node/133 If you have <=10 candidates and <=1000 voters, you can do the voting online, with hosted OpenSTV. > It would be nice to find a way for anyone, or at the very least for > Members, to be able to use the raw result and re-calculate the result > for themselves... Why not buy one copy of the source code and share it among OOo members who don't want to pay $5 to Jeff? > PS: Not that I am overly concerned about election tempering... but as Funny - I *just* realised that you meant "tamper" - I honestly thoughht you wanted to "temper" (ie harden) the process. Sorry - that just amused me - not picking on your grammar or anything. Cheers, Dave. -- Dave Neary GNOME Foundation member [email protected] -- Unsubscribe instructions: E-mail to [email protected] Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/steering-discuss/ All messages sent to this list will be publicly archived and cannot be deleted
