1 |
On Sat, Aug 28, 2021 at 12:30:15PM +0200, Michał Górny wrote: |
2 |
> Please review the following pre-GLEP. |
3 |
Please don't take the rest of my mail as a dismissal, but rather as |
4 |
considering how to protect Gentoo's voting system from any attack that I |
5 |
feel I might even remotely have the system privilege level to conduct. |
6 |
|
7 |
I absolutely do want improvements to Gentoo's voting process, like I |
8 |
said last year in mentioning mail-in ballot systems. |
9 |
|
10 |
> |
11 |
> --- |
12 |
> GLEP: 9999 |
13 |
> Title: Secrecy-respecting voting mechanism for Gentoo projects |
14 |
> Author: Michał Górny <mgorny@g.o> |
15 |
> Type: Standards Track |
16 |
> Status: Draft |
17 |
> Version: 1 |
18 |
> Created: 2021-08-27 |
19 |
> Last-Modified: 2021-08-27 |
20 |
> Post-History: 2021-08-27 |
21 |
> Content-Type: text/x-rst |
22 |
Can you please reference all of your earlier proposals about changing |
23 |
the voting system, because this isn't the first time you've suggested |
24 |
it, and there have been prior suggestions by others as well. |
25 |
|
26 |
... |
27 |
> The election process |
28 |
> -------------------- |
29 |
> |
30 |
> Each election/referendum consists of the following steps: |
31 |
> |
32 |
> 1. A developer creates a new election/referendum. During this step, |
33 |
> the developer specifies whether the boundary dates for each election |
34 |
> phase, the voter list and the (potential) candidates. |
35 |
> |
36 |
> 2. If the nomination phase is applicable, the system accepts nominations |
37 |
> from the voters. Each nominated candidate is mailed about |
38 |
> the nomination, and given the explicit choice of accepting |
39 |
> or declining it. If the nomination is accepted, the candidate may |
40 |
> also upload a manifesto. |
41 |
> |
42 |
> 3. When the voting phase beings, the system creates random identifiers |
43 |
> for all voters. Each identifier is encrypted using voter's PGP key |
44 |
> and sent via email to the voter. The voter-identifier mapping is |
45 |
> discarded immediately to reduce the risk of it leaking. |
46 |
What if each voter generates their OWN identifier (using tooling), and |
47 |
includes it in an encrypted ballot, such that it later winds up in the |
48 |
master ballot, where they can verify it... |
49 |
|
50 |
> If the nomination phase was enabled, the system also creates |
51 |
> the final candidate list from nominees who accepted their nomination. |
52 |
> |
53 |
> 4. Voters submit their votes using their random identifiers. |
54 |
Can you expand on this step more? |
55 |
|
56 |
If I send a mail to the gentoo.org email system, it must by definition |
57 |
contain somewhere: |
58 |
- my email address as the sender |
59 |
- my identifier |
60 |
|
61 |
If there's no encryption on the return mail, both details are |
62 |
potentially available to anybody in infra, which is one of the parties |
63 |
we want to block. |
64 |
|
65 |
Obviously then, some encryption is required, but where and how? |
66 |
|
67 |
I think we need to decide on which requirements/concerns matter more: |
68 |
- tamper-proof/evident |
69 |
- secrecy: of ballot content (e.g. who did X vote for?) |
70 |
- secrecy: of vote existence (e.g. did X vote) |
71 |
- ballot stuffing protection |
72 |
- identity fraud |
73 |
- pay-for-specific-vote (bribes to vote for Mallory) |
74 |
|
75 |
And then consider how to handle those. These are not the only |
76 |
requirements that might exist in a voting system, but some of the |
77 |
partial list that came to mind while writing this email, based on my |
78 |
knowledge and background. |
79 |
|
80 |
There are two sets of "trusted" parties: |
81 |
- election officials: who could collude to tamper with a master ballot |
82 |
[1] |
83 |
- infra: who have access to email, LDAP, root on systems. As a statement |
84 |
of fact today data about the envelope from/to/msg-id/subject/date and |
85 |
some extra headers are always logged. |
86 |
Any mail in the queue could theoretically be examined for it's body as |
87 |
well. |
88 |
|
89 |
[1] How can election officials tamper with votify today? If the election |
90 |
officials were to collude, they can create inject additional ballots |
91 |
between the countify --collect and countify --rank phase. |
92 |
|
93 |
Some of these requirements can be see as in opposition to each other: |
94 |
how do you prevent ballot stuffing & identity fraud while also knowing |
95 |
who did or didn't vote. |
96 |
|
97 |
Last year, I recall having some discussions about how real-world mail-in |
98 |
ballots are conducted, using nested envelopes, and strict separation of |
99 |
responsibilities. I will note that not all mail-in systems permit you to |
100 |
replace your earlier ballot, as a tradeoff in their design. |
101 |
|
102 |
The one local to me uses this model: |
103 |
https://elections.bc.ca/docs/VoteByMailInstructions.pdf |
104 |
|
105 |
- 0: A ballot, with the choices, and possibly identification markings on |
106 |
the ballot itself (**, this exists in some systems to detect some |
107 |
forms of ballot stuffing, e.g. if serial numbers 1-500 went to |
108 |
location X, they shouldn't turn up in location Y, which had numbers |
109 |
500-1000). |
110 |
- A: secrecy sleeve/envelope, to hide what the ballot says [encryption] |
111 |
- B: certification envelope, that identifies the voter [authentication] |
112 |
- C: mail envelope, that is addressed to the elections organization, and |
113 |
gets a time-coded stamp when it's received (via postmarking, which may |
114 |
also disclose the location of the voter). |
115 |
|
116 |
This system requires two trusted but separate groups of people, (G1, G2): |
117 |
G1.1. - when each envelope C arrives, verify B against database, notate |
118 |
when it arrived. Discard earlier envelope B from the voter. |
119 |
Separate any envelope B for where it cannot be verified against |
120 |
the database. |
121 |
G1.2. - at the counting time, open the latest envelope C for each |
122 |
eligible voter, and produce a pile of SEALED secrecy sleeves/envelopes. |
123 |
G2.1. - Gets the sleeves with ballots inside them, and tallies ballots to produce the outcome. |
124 |
|
125 |
I think we can implement at least part of this with infra & election |
126 |
officials as trusted-AND-separate groups. |
127 |
|
128 |
The following isn't a fully fleshed out plan, and we can probably look |
129 |
at existing proposals and find something that's close enough to our |
130 |
requirements. |
131 |
|
132 |
Infra will end up knowing who voted, because they have access to the |
133 |
email logs. So any system we design needs to make sure that Infra cannot |
134 |
inject a vote of somebody else who didn't vote. I think the most obvious |
135 |
way to do this is something like the certification envelope, which could |
136 |
take the form of a GPG-signed message (but the message content must be |
137 |
separately encrypted) |
138 |
|
139 |
The system would have to take the latest signed message for each voter, |
140 |
and export ONLY the encrypted content (without decrypting it). This also |
141 |
produces a list of who voted as an additional output (but it should be |
142 |
impossible to map a given name to a given ballot). |
143 |
|
144 |
The ballots themselves need to be separately encrypted TO the election |
145 |
officials for a given election. |
146 |
|
147 |
What should be inside a ballot? |
148 |
- Identifier, generated by the voter's system, so that the voter can |
149 |
confirm that THEIR ballot was included, and was not tampered with. |
150 |
The voter should NOT choose an identifier that accidentally discloses |
151 |
their identity to any other part. |
152 |
- The choices of the voter |
153 |
|
154 |
|
155 |
What are the holes in this system? |
156 |
|
157 |
If a voter discloses their ballot identifier to a third party BEFORE the |
158 |
master ballot is published, then the third party can be sure who the |
159 |
voter picked. This is under the pay-for-specific vote concern. |
160 |
|
161 |
This mail to be continued. |
162 |
|
163 |
-- |
164 |
Robin Hugh Johnson |
165 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
166 |
E-Mail : robbat2@g.o |
167 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
168 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |