[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


I disagree with Stan regarding the EAL levels he mentioned.

The minimum level should be EAL-4 which represents an accomplishable
security level.  EAL-2 is far too low for a secure product
that has NO independent auditability.  As well, any product
that maintains that its cryptographic sections are sufficient
to secure the ballots (in lieu of voter verified paper ones)
must DEMONSTRATE A FULL PROOF of the correctness of the
cryptographic algorithms AS WELL as the full proof of their
IMPLEMENTATION (in software and/or hardware).  This area
would be EAL-7, and this is consistent with recommendations
in the Common Criteria for cryptographic components. Laziness
on the part of the vendors in wanting to punt their "proof" to
the open source community rather than doing the hard work themselves
should be no excuse for lax certification requirements.

This is what I have insisted upon all along and I do not intend
to change my stance on this (as in, if this is not what ultimately
is in the draft that goes out to ballot, you can expect to see
the above comment and a "no" vote from me). I urge others to chime
in on these points.  The bottom line is that since the working
group could not agree that independent validation of the ballots
be a part of the standard, then the security needs to be shored
up appropriately.  You can't have it both ways (though I can
see that some of you are still trying).

As far as COTS is concerned, the main point that I would like
to make about that is that if a vendor is not willing to provide
their code and hardware specifications then the COTS product
has no business being put into a voting system, especially one
that HAS NO INDPENDENT AUDITABILITY.  The fact is that vendors
can't even keep track of their own bug fixes (for example the
32K one that ES&S knew about in 2002 but was still floating
around Florida and elsewhere in 2004), so how can we rely on
anyone to perform upgrades to COTS components.  Where COTS
need to be vetted is at the INITIAL CERTIFICATION.  There should
be no blanket exemptions for anyone.  If the product does not
impact on the vote collection and vote tallying units, it can
be marked as such at the time of initial certification.  If it
does, then it needs to be thoroughly inspected and tested just
like all the rest of the voting system. The way you are planning
to write the specs, one can (and I believe there even is a
company who is considering doing this) create a voting machine
ENTIRELY out of COTS and skip nearly all of the inspection process!
This is bogus, but our standard will encourage that type of development,
especially because ballot face programming is not a part of our
standard, and it could be layered on top of a COTS database, and
off to the races you go.

Rebecca Mercuri.