ietf
[Top] [All Lists]

Re: internet voting -- ICANN, SmartInitiatives, etc.

2001-01-14 11:40:02


Jon Crowcroft wrote:

the bggest problems with security ssytems are generally 90% to do with
design errors at level 10 (human, not policitcal, economic,
application, transport etc)

Explorers of any kind oftentimes are led to believe in monsters at the
"end of the sea", but not all of them and so they move forward.
Security experts today are divided in two camps. Those many that
believe we can never make anything secure and those few that
believe we can make a system be as close to perfect security as
desired.

it would be interestign to run a _real_ experiment in 3 types of
voting (comuter based, networked computer based and traiditional) and
see if the results came out the same - it should persist for several
decades before one could believe that any adaption in the
democratic process hd factored in human behavioural bias .... imho

This would make sense in a statistical approach based on frequency
of events, where we need many events and even then we are never
sure because we did not run an infinite number of tests.

So, what you suggest is bound to fail, as a practical matter.

Instead, we follow a two-track approach using real-time auditing
built into the protocol in a secure zero-knowledge formalism so that
auditing during voting neither tampers nor learns anything from the
voting process (keys, votes, voter identities, msgs, etc.), and the
Bayes approach to statistics, also used by Shannon, where we
deal with conditional probabilities in multiple channels of
information.

In other words, Safevote's protocol provides a neutral observer that
goes undetected by all machines (and software) and yet allows
all processes pertaining to that observer to be recorded,
followed in real-time and fully verified against 100% trusted
(yes, such a thing exists and there are many practical ways
to do it in elections) records of what it should be.

Thus, trust on the election system is earned as anyone
can see that the system does exactly what is expected, for a
random message, any  number N of times.  By increasing N,
we decrease the probability that an error can occur in N+1,
N+2, etc.  Key to this method is that it must be fully undetectable
by the system, so that the system has no way of knowing
whether it is facing a voter or an observer in auditing.

There are other auting processes that must be enabled as well
and, in fact, auditing must be built-in into the entire system
from voter registration to ballot reporting by means of closed
loops of trust (not to be confused with closed loops of
authorization).

Cheers,

Ed Gerck