| 1 |
On Sat, Aug 28, 2021 at 12:30:15PM +0200, Michał Górny wrote: |
| 2 |
> Please review the following pre-GLEP. |
| 3 |
Please don't take the rest of my mail as a dismissal, but rather as |
| 4 |
considering how to protect Gentoo's voting system from any attack that I |
| 5 |
feel I might even remotely have the system privilege level to conduct. |
| 6 |
|
| 7 |
I absolutely do want improvements to Gentoo's voting process, like I |
| 8 |
said last year in mentioning mail-in ballot systems. |
| 9 |
|
| 10 |
> |
| 11 |
> --- |
| 12 |
> GLEP: 9999 |
| 13 |
> Title: Secrecy-respecting voting mechanism for Gentoo projects |
| 14 |
> Author: Michał Górny <mgorny@g.o> |
| 15 |
> Type: Standards Track |
| 16 |
> Status: Draft |
| 17 |
> Version: 1 |
| 18 |
> Created: 2021-08-27 |
| 19 |
> Last-Modified: 2021-08-27 |
| 20 |
> Post-History: 2021-08-27 |
| 21 |
> Content-Type: text/x-rst |
| 22 |
Can you please reference all of your earlier proposals about changing |
| 23 |
the voting system, because this isn't the first time you've suggested |
| 24 |
it, and there have been prior suggestions by others as well. |
| 25 |
|
| 26 |
... |
| 27 |
> The election process |
| 28 |
> -------------------- |
| 29 |
> |
| 30 |
> Each election/referendum consists of the following steps: |
| 31 |
> |
| 32 |
> 1. A developer creates a new election/referendum. During this step, |
| 33 |
> the developer specifies whether the boundary dates for each election |
| 34 |
> phase, the voter list and the (potential) candidates. |
| 35 |
> |
| 36 |
> 2. If the nomination phase is applicable, the system accepts nominations |
| 37 |
> from the voters. Each nominated candidate is mailed about |
| 38 |
> the nomination, and given the explicit choice of accepting |
| 39 |
> or declining it. If the nomination is accepted, the candidate may |
| 40 |
> also upload a manifesto. |
| 41 |
> |
| 42 |
> 3. When the voting phase beings, the system creates random identifiers |
| 43 |
> for all voters. Each identifier is encrypted using voter's PGP key |
| 44 |
> and sent via email to the voter. The voter-identifier mapping is |
| 45 |
> discarded immediately to reduce the risk of it leaking. |
| 46 |
What if each voter generates their OWN identifier (using tooling), and |
| 47 |
includes it in an encrypted ballot, such that it later winds up in the |
| 48 |
master ballot, where they can verify it... |
| 49 |
|
| 50 |
> If the nomination phase was enabled, the system also creates |
| 51 |
> the final candidate list from nominees who accepted their nomination. |
| 52 |
> |
| 53 |
> 4. Voters submit their votes using their random identifiers. |
| 54 |
Can you expand on this step more? |
| 55 |
|
| 56 |
If I send a mail to the gentoo.org email system, it must by definition |
| 57 |
contain somewhere: |
| 58 |
- my email address as the sender |
| 59 |
- my identifier |
| 60 |
|
| 61 |
If there's no encryption on the return mail, both details are |
| 62 |
potentially available to anybody in infra, which is one of the parties |
| 63 |
we want to block. |
| 64 |
|
| 65 |
Obviously then, some encryption is required, but where and how? |
| 66 |
|
| 67 |
I think we need to decide on which requirements/concerns matter more: |
| 68 |
- tamper-proof/evident |
| 69 |
- secrecy: of ballot content (e.g. who did X vote for?) |
| 70 |
- secrecy: of vote existence (e.g. did X vote) |
| 71 |
- ballot stuffing protection |
| 72 |
- identity fraud |
| 73 |
- pay-for-specific-vote (bribes to vote for Mallory) |
| 74 |
|
| 75 |
And then consider how to handle those. These are not the only |
| 76 |
requirements that might exist in a voting system, but some of the |
| 77 |
partial list that came to mind while writing this email, based on my |
| 78 |
knowledge and background. |
| 79 |
|
| 80 |
There are two sets of "trusted" parties: |
| 81 |
- election officials: who could collude to tamper with a master ballot |
| 82 |
[1] |
| 83 |
- infra: who have access to email, LDAP, root on systems. As a statement |
| 84 |
of fact today data about the envelope from/to/msg-id/subject/date and |
| 85 |
some extra headers are always logged. |
| 86 |
Any mail in the queue could theoretically be examined for it's body as |
| 87 |
well. |
| 88 |
|
| 89 |
[1] How can election officials tamper with votify today? If the election |
| 90 |
officials were to collude, they can create inject additional ballots |
| 91 |
between the countify --collect and countify --rank phase. |
| 92 |
|
| 93 |
Some of these requirements can be see as in opposition to each other: |
| 94 |
how do you prevent ballot stuffing & identity fraud while also knowing |
| 95 |
who did or didn't vote. |
| 96 |
|
| 97 |
Last year, I recall having some discussions about how real-world mail-in |
| 98 |
ballots are conducted, using nested envelopes, and strict separation of |
| 99 |
responsibilities. I will note that not all mail-in systems permit you to |
| 100 |
replace your earlier ballot, as a tradeoff in their design. |
| 101 |
|
| 102 |
The one local to me uses this model: |
| 103 |
https://elections.bc.ca/docs/VoteByMailInstructions.pdf |
| 104 |
|
| 105 |
- 0: A ballot, with the choices, and possibly identification markings on |
| 106 |
the ballot itself (**, this exists in some systems to detect some |
| 107 |
forms of ballot stuffing, e.g. if serial numbers 1-500 went to |
| 108 |
location X, they shouldn't turn up in location Y, which had numbers |
| 109 |
500-1000). |
| 110 |
- A: secrecy sleeve/envelope, to hide what the ballot says [encryption] |
| 111 |
- B: certification envelope, that identifies the voter [authentication] |
| 112 |
- C: mail envelope, that is addressed to the elections organization, and |
| 113 |
gets a time-coded stamp when it's received (via postmarking, which may |
| 114 |
also disclose the location of the voter). |
| 115 |
|
| 116 |
This system requires two trusted but separate groups of people, (G1, G2): |
| 117 |
G1.1. - when each envelope C arrives, verify B against database, notate |
| 118 |
when it arrived. Discard earlier envelope B from the voter. |
| 119 |
Separate any envelope B for where it cannot be verified against |
| 120 |
the database. |
| 121 |
G1.2. - at the counting time, open the latest envelope C for each |
| 122 |
eligible voter, and produce a pile of SEALED secrecy sleeves/envelopes. |
| 123 |
G2.1. - Gets the sleeves with ballots inside them, and tallies ballots to produce the outcome. |
| 124 |
|
| 125 |
I think we can implement at least part of this with infra & election |
| 126 |
officials as trusted-AND-separate groups. |
| 127 |
|
| 128 |
The following isn't a fully fleshed out plan, and we can probably look |
| 129 |
at existing proposals and find something that's close enough to our |
| 130 |
requirements. |
| 131 |
|
| 132 |
Infra will end up knowing who voted, because they have access to the |
| 133 |
email logs. So any system we design needs to make sure that Infra cannot |
| 134 |
inject a vote of somebody else who didn't vote. I think the most obvious |
| 135 |
way to do this is something like the certification envelope, which could |
| 136 |
take the form of a GPG-signed message (but the message content must be |
| 137 |
separately encrypted) |
| 138 |
|
| 139 |
The system would have to take the latest signed message for each voter, |
| 140 |
and export ONLY the encrypted content (without decrypting it). This also |
| 141 |
produces a list of who voted as an additional output (but it should be |
| 142 |
impossible to map a given name to a given ballot). |
| 143 |
|
| 144 |
The ballots themselves need to be separately encrypted TO the election |
| 145 |
officials for a given election. |
| 146 |
|
| 147 |
What should be inside a ballot? |
| 148 |
- Identifier, generated by the voter's system, so that the voter can |
| 149 |
confirm that THEIR ballot was included, and was not tampered with. |
| 150 |
The voter should NOT choose an identifier that accidentally discloses |
| 151 |
their identity to any other part. |
| 152 |
- The choices of the voter |
| 153 |
|
| 154 |
|
| 155 |
What are the holes in this system? |
| 156 |
|
| 157 |
If a voter discloses their ballot identifier to a third party BEFORE the |
| 158 |
master ballot is published, then the third party can be sure who the |
| 159 |
voter picked. This is under the pay-for-specific vote concern. |
| 160 |
|
| 161 |
This mail to be continued. |
| 162 |
|
| 163 |
-- |
| 164 |
Robin Hugh Johnson |
| 165 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
| 166 |
E-Mail : robbat2@g.o |
| 167 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 168 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives