[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secret votes HOWTO

>>"Seth" == Seth Arnold <sarnold@willamette.edu> writes:

 Seth> * Manoj Srivastava <srivasta@debian.org> [010403 21:58]:
 >> It is simple enough. If the passowrd string is missing, then
 >> the advertised default could be to put the gpg id as the password.
 >> The user supplied string is not allowed to have a `@` char..
 >> In this case, would we still need the hash?

 Seth> I think the hash would be preferable since it includes the vote
 Seth> itself as well as the private information. I can't put my
 Seth> finger on why I like this, but I do.

	Umm. Unless there are stronger arguments for the hash, I would
 rather not, since  comparing hashes takes more effort, and can't be
 done from memory, so checking the vote is harder for humans. In
 practice, I think this shall substantially reduce the number of
 people who actually bother to check their votes. 

	So, unless people can tell me why having a user supplied
 secret string, along with a system generated sequence, is
 cryptographically weaker than the hash when it comes to protecting
 the secrecy of the vote (the hash does have the added advantage of
 protecting your secret string, but that is not really an important
 benefit), I am inclined to go with the non-hash.

 Seth> Also, any voters who forget to put in random data will (perhaps against
 Seth> their desire) have their name matched with their vote. The hash will
 Seth> prevent disclosure -- the voter must perform extra work in order to
 Seth> advertise his or her vote by supplying their secret and the server's
 Seth> secret. (Or their gpg/pgp signed vote, if we like taking people at their
 Seth> word, which I think we do.)

	Simple enough to rectify. Whenever we get a vote that has the
 password missing, the ack would say something like:

	"Your vote has been tallied. Your vote was [12345].
         NOTE: You appear to want your vote to be PUBLIC. If that was
               not your intent, please vote again, giving a valid
               password this time." 

       I also think that people putting their ballots up in separate
 places is not as open as having ones name on the final tally -- and
 openness is desirable, in my personal opinion.

 Old Grandad is dead but his spirits live on.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: