Cosource Proposal: Implement vote-checking network
for eVote®/Clerk
eVote®/Clerk provides a non-hierarchical
decision-making system for online groups. Currently,
two user interfaces, or "eVote" interfaces, are
implemented: telnet; and email. The email interface
allows any member of an email list to administer a poll
for the group that is meeting via the email list. Only
the list members can vote.
The email interface also enables anyone with an email
list to generate and administer an internet petition
that is served from the WWW as well as via email. A
petition can be administered by a collaborating group
that meets via email list. Petitions can be signed, or
voted on, by anyone with an email address. The
petition facility speaks several languages and new
languages are easily added.
These interfaces are served by "The Clerk", a
specialized database server, or vote-server, that
totally automates the evolution of schema, and thereby
takes all the responsibility and power of the vote
system away from the system administrator, making it a
best-possible candidate for administering secure
elections.
This system is unique among online voting systems in
that it is the only system that addresses the potential
of attack from the administrator.
The user interfaces are released as open source
software but, because The Clerk's main feature is that
it protects the users from the administrator, the
source is secret (so far) and is only in the hands of a
few trusted volunteers.
The author of the software, Marilyn Davis, wishes to
release the source for The Clerk, and the eVote
interfaces, under GPL, but, in order not to compromise
the accountability of polls, the author needs to have a
network layer in place to do so. This is the
specification of that network/security layer. It's
implementation will not only provide absolute
accountability for online voting, but also will trigger
the release of the source code for The Clerk, and GPL
the entire project.
If anyone is interested in developing the
user-interface for this specification, please collect
the current source code from:
http://www.deliberate.com. Marilyn Davis is available
to answer questions and check internal specifications
and code at evote-workers@deliberate.com, a majordomo
email list. Please join.
Also, please comment on and improve this specification.
===== ====== ======= =============
Clerk Source Release Specification
===== ====== ======= =============
This specification describes the network layer required
to release the source to The Clerk so that the accuracy
of secret-vote polls, is guaranteed.
This specification makes no attempt to guarantee the
privacy of such polls. Privacy will be the subject of
a future release. This current work is designed to be
the minimum required for absolute accountability of the
polls; so that the source can be released and the free
software communities can develop guarantees against
attacks on privacy.
This specification is in three parts: the "External
Specification", which describes the users' view; the
"Non-Repudiation Specification", which details the
design of the non-repudiation feature; and the
"Internal Specification", which specifies the
implementation design.
----
External Specification -- the user's view
======== =============
The current version, eVote®/Clerk 2.5, is an email
interface for voting. When there is a non-public poll,
i.e., one where the votes are not public, the user who
initiated the poll sends an "eVote close" command in an
email message to close the poll to further voting.
eVote sends back a confirmation message, which contains
a random key in the subject line. When the message is
returned, the software marks the poll as closed and
sends the final tally to the list members.
For the GPL-ed version, the "eVote close" command on
non-public poll types will be significantly enhanced to
spark a human/computer collaboration that effects a
secure cross-network check of the vote data that
involves three eVoted facilities. In the discussion
below, eVoted facilities will be on the domains:
alice.net, bob.net and similar names. The poll
administrator will be jane@doe.net who is a member of
the lwv-meeting@alice.net email list, which is an
eVoted email list.
The new "eVote close" command will accept an optional
argument: the warning-time:
eVote close 48
The default warning-time will be 24 hours.
In response to a "eVote close 48" sent to the list
address, lwv-meeting@alice.net, by jane@doe.net, the
originator and administrator of the poll, eVote will
generate the following confirmation and verification
request. The headers are explained below.
> --- start of message
> To: jane@doe.net
> From: lwv-meeting-eVote@alice.net
> Reply-To: theclerk@bob.net
> Subject: CONFIRM: Ax.|i^ Re: President
>
> Thank you for your "close 48" message on:
>
> "President"
>
> To confirm and verify the poll, please reply-to this
> message and include this entire unaltered message in
> your reply. Notice that your message will
> automatically be sent to theclerk@bob.net for
> external verification of the votes. If you wish, you
> may, instead, forward the message to one of the
> following addresses for verification:
>
> theclerk@charlie.net
> theclerk@dana.net
> theclerk@emily.net
> theclerk@fred.net
> theclerk@gary.net
>
> The Clerk at the site you choose will send a final
> reminder to list members and will check the accuracy
> of the count. 48 hours after this is successful, the
> poll will close.
>
> The following text is the public encryption key for
> this poll. eVote will use it to ensure the integrity
> of the data. You don't need to be concerned about
> it.
>
> [The poll's public encryption key is inserted here.]
>
> --- end of message
> From: lwv-meeting-eVote@alice.net
The From: shows that the message is generated by eVote
for the lwv-meeting email list. Mail received at
lwv-meeting-eVote@alice.net is usually aliased to the
list's owner.
> Reply-To: theclerk@bob.net
jane@doe.net's mail reader should send the message to a
sibling eVote facility, either at bob.net or she might
decide to forward it to one of the addresses listed in
the message body.
The mail aliases for verification are "theclerk" but it
is really eVote, the user-interface, that performs the
poll verification, not the remote Clerk. "Theclerk"
alias is used because the "eVote" alias is
conventionally used for receiving petition signatures.
> Subject: CONFIRM: Ax.|i^ Re: President
When theclerk@bob.net, an address at the sibling
eVote/Clerk site, receives the message, it communicates
with eVote/Clerk at alice.net to check the random
confirmation key, "Ax.li^" in the example, and to
transmit the poll data from alice.net to bob.net.
eVote/Clerk at bob.net checks the tally and sends each
participant the following "CLOSE
WARNING:/pending-receipt" message. Note that the eVote
software already provides the text in this receipt
except for the "Verifying This Pending Receipt"
section.
> --- start of message
>
> To: each-lwv-meeting-member@somewhere.net
> From: theclerk@bob.net
> Reply-To: lwv-meeting@alice.net
> Subject: CLOSE WARNING: President
>
> The poll on:
>
> President
>
> will close on Tuesday Jan 23, 2010 at 06:00 PST.
>
> Please save this pending receipt message in its
> entirety until everyone is satisfied that the poll
> was conducted accurately.
>
> ==== ====
> POLL TEXT
> ==== ====
>
> Please choose one.
>
> ======= == ===
> RESULTS SO FAR
> ======= == ===
>
> Of the 340 people currently subscribed to the
> lwv-meeting list, 263 have voted so far.
>
> Participants are asked to vote YES on 1 of the
> following choices:
>
> Your On
> Vote Choice
>
> no 1. Lynn Anfanger
> no 2. Alice Bush
> yes 3. Jean Kennedy
> no 4. Abstain
>
> each-lwv-member@somewhere.net, you have used 1 of
> your 1 YES votes.
>
> ======= ====
> PRIVATE POLL
> ======= ====
>
> This is a "private" poll; ballots are secret.
>
>
> == ====
> TO VOTE
> == ====
>
> | 1. Send a message to lwv-meeting@alice.net.
> |
> | 2. Your subject must be "President".
> |
> | * * * * * * * * * * * * * * * * * * * * * * * *
> ----> * NOTE: These two steps are easy. Just use *
> * your reply-to key on this message! *
> * * * * * * * * * * * * * * * * * * * * * * * *
>
> 3. Your message *must* start with the word,
> "eVote", or your vote will be sent to the
> entire > lwv-meeting list and it won't be
> counted!
>
> To vote yes on choice 2, your message should
> say:
>
> eVote
> 2. y
>
> Every choice you don't vote "yes" on will
> receive an automatic "no" vote.
>
> 4. If your message has a signature, or any other
> text below your vote, make a line that says, "end"
> just after your vote.
>
> ======== ==== ====
> CHANGING YOUR VOTE
> ======== ==== ====
>
> You can change your votes while the poll is open by
> voting again.
>
>
> ======== ==== ====
> REMOVING YOUR VOTE
> ======== ==== ====
>
> To remove your votes on "President",
> send the message:
>
> eVote remove
>
>
> ====== === ======= == === ====
> SEEING THE RESULTS OF THE POLL
> ====== === ======= == === ====
>
> You cannot see the vote tally until the vote closes.
> Only jane@doe.net, the originator of this poll, can
> close it.
>
>
> ==== ===========
> MORE INFORMATION
> ==== ===========
>
> To receive more information about "President":
>
> 1. Send a message to:
>
> lwv-meeting@alice.net
>
> 2. Your subject must be:
>
> President
>
> 3. To see your own vote and this information again,
> send the command:
>
> eVote info
>
> For a general explanation of eVote/Majordomo, use any
> subject line, and send the message:
>
> eVote help
>
>
> ========= ==== ======= =======
> VERIFYING THIS PENDING RECEIPT
> ========= ==== ======= =======
>
> To verify the validity of this pending receipt
> message, forward this message, in its entirety, to
> any of these addresses:
>
> theclerk@charlie.net
> theclerk@dana.net
> theclerk@emily.net
> theclerk@fred.net
> theclerk@gary.net
>
> The following text, although it looks like nonsense,
> allows any of the addresses above to check that this
> message has not been altered and is exactly what was
> reported by the eVote facility at alice.net.
>
> ----
>
> [This poll's public encryption key and the
> private-key encrypted non-repudiation MAC for this
> message are here.]
>
> --- end of message
When it comes to be poll-closing time, alice.net
generates the following message for the poll's
originator:
> --- start of message
>
> To: jane@doe.net
> From: lwv-meeting-eVote@alice.net
> Reply-To: theclerk@charlie.net
> Subject: CONFIRM: Bx.|i^ Re: President
>
> The poll on:
>
> "President"
>
> is now closed but has not been verified or announced.
> To do so, your help is needed.
>
> Please reply-to this message.
>
> Notice that your message will automatically be sent
> to theclerk@charlie.net for external verification of
> the votes. If you wish, you may, instead, forward
> the message to one of the following addresses:
>
> theclerk@dana.net
> theclerk@emily.net
> theclerk@fred.net
> theclerk@gary.net
>
> The Clerk at the site you choose will send the final
> tally to each of the list members.
> --- end of message
In the case that jane@doe.net doesn't respond to this
message, any member who inquires about the status of
the poll receives this message until someone finally
triggers the verification and announcement of the poll.
The third Clerk sends the "CLOSE"/final receipt message
to each member of the list. Again, the current eVote
software provides this receipt except for the
"Verifying This Final Receipt" section.
> To: each-lwv-meeting-member@somewhere.net
> From: theclerk@charlie.net
> Reply-To: lwv-meeting@alice.net
> Subject: CLOSE: President
>
>
> jane@doe.net has closed the poll on
>
> President.
>
> This poll was initiated on Thu, 11 Jan 2010 11:16:57
> -0800
>
> Please save this final receipt message in its
> entirety until everyone is satisfied that the poll
> was conducted accurately.
>
> ==== ====
> POLL TEXT
> ==== ====
>
> Please choose one.
>
> =======
> RESULTS
> =======
>
> Of the 340 people subscribed to the lwv-meeting list
> when this subject was closed, 313 of them voted.
>
> Participants were asked to vote YES on 1 of the
> following choices:
>
> Yes No On
> Votes Votes Choice
>
> 85 228 1. Lynn Anfanger
> 101 212 2. Alice Bush
> 117 196 3. Jean Kennedy
> 10 303 4. Abstain
>
> each-lwv-meeting-member@somewhere.net, you can see
> your own vote, and this information again by sending
> email to lwv-meeting@alice.net with the subject
> "President".
>
> Your message should say:
>
> eVote stats
>
>
> ======== === ====
> DELETING THE DATA
> ======== === ====
>
> The originator of this poll, jane@doe.net, can drop
> this poll from the database after it has been closed
> for 28 days by sending the command:
>
> eVote drop
>
> Anyone can drop this poll after it has been closed
> for 180 days.
>
> ========= ==== ===== =======
> VERIFYING THIS FINAL RECEIPT
> ========= ==== ===== =======
>
> To verify the validity of this receipt, forward this
> final receipt message, in its entirety, to any of
> these addresses:
>
> theclerk@charlie.net
> theclerk@dana.net
> theclerk@emily.net
> theclerk@fred.net
> theclerk@gary.net
>
> The following text, although it looks like nonsense,
> allows any of the addresses above to check that this
> message has not been altered and is exactly what was
> reported by the eVote facility at alice.net.
>
> ----
>
> [This poll's public encryption key and the
> private-key encrypted non-repudiation MAC for this
> message are here.]
>
> --- end of message
Non-Repudiation Specification
=============== =============
The point of non-repudiation in the networked
eVote/Clerk facilities is not only to prevent eVote
installations from denying the email they send, but
also to foil users who claim false receipts.
The Scheme
--- ------
The eVote®/Clerk network mechanism is a procedure for
verifying a non-public poll, i.e., guaranteeing its
accuracy. Achieving this degree of accountability
requires the participation of the users.
When the user/administrator sends an "eVote close"
command to close a private poll at the alice.net eVoted
site, she is sent a message instructing her to forward
this message to another eVote facility to start the
confirmation and verification process, and to achieve
closure.
The confirmation message has a random key to confirm
the user's intention, and a public encryption key to
verify the poll. A different public/private key pair
will be generated for each non-public poll. These keys
are for non-repudiation only, not to ensure privacy.
The user chooses the eVote facility at bob.net and
forwards the confirmation message to theclerk@bob.net.
Bob.net generates a random message, encrypts it with
the poll's public key and sends this, along with the
forwarded confirmation message back to
theclerk@alice.net.
Alice.net checks the random key of the confirmation
message to verify that the communication from bob.net
was the one initiated at alice.net and by the
appropriate user.
Alice.net also decrypts the random message and sends
that back to bob.net to verify the public/private key
pair. With this verification message comes the vote
data needed so that bob.net can send the "CLOSE
WARNING" with the pending receipt to each voter before
the poll closes.
The data message sent from alice.net to bob.net
contains a data package for each voter. Each voter's
package has two parts. The first part is the the email
address and vote. These are sent as clear data. The
second part is the non-repudiation MAC for the first
part. The MAC is encrypted with the poll's private
key.
Each voter's package is the "pending receipt" for that
voter. It is embedded into the "CLOSE WARNING" message
that is sent to that voter.
Bob.net checks that alice.net was able to decrypt the
random message; checks the statistics on the poll from
the clear data; and verifies each voter's data package
by decrypting and checking the MAC using the public
key, still remembered from the confirmation message.
Bob.net sends each voter her vote as clear data, and
that voter's encrypted MAC.
The process is repeated after the poll is closed so
that each voter receives a "CLOSED" message which
contains, besides the voter's final receipt, the final
tally for the poll.
Verification
------------
Any voter will be able to forward her "CLOSE
WARNING/pending receipt" or her "CLOSE/final receipt"
message to any of the Clerk addresses and, if the MAC
and the key pair are verified, the following message
will be returned:
> This message is your verification that the eVote
> receipt you sent, which is copied below, is
> authentic.
Or, if the receipt cannot be validated, an advisory
message will be sent to the voter, to the owner of the
email list, lwv-meeting-owner@alice.net, and to
eVote-owner@alice.net. The message will read:
> The eVote receipt you sent, which is copied below,
> has been altered and cannot be verified.
When bob.net verifies a receipt, it sends a random
message which is encrypted with the poll's public key,
to alice.net. Alice.net returns the decrypted message
to verify the poll's key pair. Bob.net checks that
returned message and checks that the MAC is correct for
the vote.
Internal Specification -- software design
======== =============
Each Clerk will have a new address: theclerk@alice.net
for the purposes of accomplishing both this interaction
with users, and for communicating between eVote/Clerk
facilities. We will not build a Secure Socket Layer in
this release.
The reasons for sticking to email are:
1. Using a SSL for the communication between Clerks
will not secure privacy because the voting takes place
in the clear.
2. Sticking to the email interface means that almost
all the coding for this specification will take place
in the user interface where the source code is already
released.
3. The vote-checking will be done by a remote user
interface and will not involve the remote Clerk at all,
leaving closed a doorway to possible abuse of the
remote Clerk's data.
4. The division of labor that this architecture
provides allows almost all the work of to be done by
someone other than Marilyn Davis.
Changes in The Clerk will be minimal:
1. Change a line of code so that information about
private polls is released to the user interface, and
therefore to the user interface programmer. The
interface programmer can use the same calls that are
currently used for public polls.
2. Support the following calls:
typedef enum {NO, YES, MAYBE, PUNT, DROPIT} YESorNO;
typedef enum {NOT_OK, OK, UNDECIDED, PROBLEM, STOP,
CANT} OKorNOT;
YESorNO is_warning_done(ITEM_INFO * p_item);
// Checks if the warning data has been sent to a
// remote eVote/Clerk facility yet.
// Returns YES if the warning has already happened.
// NO if it hasn't.
// PUNT if called on a public item.
OKorNOT warning_sent(ITEM_INFO * p_item,
time_t time_to_close);
// Notes that the warning data has been sent and sets the
// closing time of the poll.
YESorNO is_close_done(ITEM_INFO * p_item);
// Checks if the data has been sent to a remote Clerk
// since the poll has closed.
// Returns YES if the final has been sent.
// NO if it has not been sent.
// PUNT if called on a public item.
OKorNOT close_sent(ITEM_INFO * p_item);
// Notes that the final data has been sent to a remote
// Clerk.
OKorNOT store_key_pair(ITEM_INFO * p_item,
char *private, char * public);
// Stores the key pair strings for the item. The
// length of the keys is not limited.
// Returns OK if it stored the key pair.
// PROBLEM if the item is PUBLIC.
// NOT_OK if a key pair is already stored for
// this item.
OKorNOT get_key_pair(ITEM_INFO * p_item,
char *private, char * public);
// Copies the key pair into the addresses given.
// Returns OK if it was successful.
// PROBLEM if the item is PUBLIC.
// NOT_OK if a key pair has not yet been stored
// for this item.
----
I'll provide these Clerk-based facilities as soon as
possible in a new private development release: 3.501.
----
Marilyn Davis, Ph.D marilyn@deliberate.com
Author of eVote®/Clerk
http://www.deliberate.com -1 650 965-7121