Re: Secret votes HOWTO
>>"Seth" == Seth Arnold <email@example.com> writes:
Seth> * Manoj Srivastava <firstname.lastname@example.org> [010403 21:58]:
>> It is simple enough. If the passowrd string is missing, then
>> the advertised default could be to put the gpg id as the password.
>> The user supplied string is not allowed to have a `@` char..
>> In this case, would we still need the hash?
Seth> I think the hash would be preferable since it includes the vote
Seth> itself as well as the private information. I can't put my
Seth> finger on why I like this, but I do.
Umm. Unless there are stronger arguments for the hash, I would
rather not, since comparing hashes takes more effort, and can't be
done from memory, so checking the vote is harder for humans. In
practice, I think this shall substantially reduce the number of
people who actually bother to check their votes.
So, unless people can tell me why having a user supplied
secret string, along with a system generated sequence, is
cryptographically weaker than the hash when it comes to protecting
the secrecy of the vote (the hash does have the added advantage of
protecting your secret string, but that is not really an important
benefit), I am inclined to go with the non-hash.
Seth> Also, any voters who forget to put in random data will (perhaps against
Seth> their desire) have their name matched with their vote. The hash will
Seth> prevent disclosure -- the voter must perform extra work in order to
Seth> advertise his or her vote by supplying their secret and the server's
Seth> secret. (Or their gpg/pgp signed vote, if we like taking people at their
Seth> word, which I think we do.)
Simple enough to rectify. Whenever we get a vote that has the
password missing, the ack would say something like:
"Your vote has been tallied. Your vote was .
NOTE: You appear to want your vote to be PUBLIC. If that was
not your intent, please vote again, giving a valid
password this time."
I also think that people putting their ballots up in separate
places is not as open as having ones name on the final tally -- and
openness is desirable, in my personal opinion.
Old Grandad is dead but his spirits live on.
Manoj Srivastava <email@example.com> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C