Voting Security (was: The Next Genaration)

Eric Rescorla <> Thu, 12 September 2019 15:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8066C12012A for <>; Thu, 12 Sep 2019 08:56:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WreI3Fqc8e6v for <>; Thu, 12 Sep 2019 08:56:46 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E6137120122 for <>; Thu, 12 Sep 2019 08:56:45 -0700 (PDT)
Received: by with SMTP id x80so19816056lff.3 for <>; Thu, 12 Sep 2019 08:56:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vA7yWA6Ytqsw/3ctWZrra5Ohsam6tmXwaa5RMoLYDuQ=; b=uZKFvBvkYMKe+18C3eujLFSt5fC2g4R0RMTRXLC2+4NR9G5ChTQc9a9pKVeYT39bY2 3SVq1lYhaZ8Z23F9KVFzPqk6YnQNOMyLZwyNTNnVvYxN9RYGR7mzQPDq43oZm123EwEi xDTQmaowpwIA5o1s69jW7OFXW0qPN/OxFkKga5mJPHtwuPYQroeQKMiHH3csrRICAgE/ ZEDv9To+5gO8MyDr3ZtQ/Vx4TOWxm6omVLvaYXk0aWNWQSS1AZ5khLG+qpWmlrC0KGWV BpaMXfmz0K73pEAflRf3WWDH9D8NlbIHxpctdHcPmJtPIv2SPSKA7B6Piw3j4aQSgUqT RgUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vA7yWA6Ytqsw/3ctWZrra5Ohsam6tmXwaa5RMoLYDuQ=; b=cbZAaN8AxYk+wuBiq8+jR5RPCnJhPqph/d+medhKgAZm1eP+7rM22cuFct38csLadv 7+tHm26B2t8P1zzIxzSXFwcoWtywRRymipiybj4pfvBZlqphMgY0L8jBtn8JwjH8rX33 8bMX+h6SupxKQBK/sPWGOTm8NDCC4jQqMKopNdsR7st+qUFrw02AfL2K0yjIScDsZsDK wGFVnz48oXfoM0ohVZNPvvzio2Qg0Amr4CJ/pB5CB7yEDd4MMeMA0Cs807XCpakrt4bl DlBSWreML5j6K4ZftzDeuFxk2I7VBqm2QxgnUfd13ZZIyvfbkPk4JZu/SB03s9pvxvMp R6FA==
X-Gm-Message-State: APjAAAVTJYdOgSway3G+RaI++NIaqfIlExHcC8emrOu9v69bEd5OwtL7 sOGgHxTtyBefikYWPXCC7ZaBLPkaPf7jlyaDD6ZVF6ISFuk=
X-Google-Smtp-Source: APXvYqztCMvYz3a/KPdx7GE7NoA+97uwbU9S2yy3hxro45mA8QBX+U5wjg5u3v3yb7E74Mgsq2mqYIpHj9ZJ4Z3X26I=
X-Received: by 2002:ac2:5a19:: with SMTP id q25mr5290239lfn.178.1568303804132; Thu, 12 Sep 2019 08:56:44 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <20190911194723.GC18811@localhost> <> <> <>
In-Reply-To: <>
From: Eric Rescorla <>
Date: Thu, 12 Sep 2019 08:56:07 -0700
Message-ID: <>
Subject: Voting Security (was: The Next Genaration)
Cc: IETF Discussion Mailing List <>
Content-Type: multipart/alternative; boundary="0000000000002544f105925d2f40"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Sep 2019 15:56:50 -0000

[Changing the subject line because this is a change of topic.]

On Thu, Sep 12, 2019 at 8:37 AM <> wrote:

> IMHO, if the interest is in protecting the democratic process, the first
> place we should look is the digital voting infrastructure, as that is the
> vector most abused.  Knowing what I do about network and computer security
> in general, I have come to the conclusion that hand counted paper ballots
> with a strong chain of custody are the only way to ensure a free and fair
> election.

This is pretty off-topic for IETF, but might be interesting to people.

I certainly agree that software independence ( is a good objective
for voting systems, and hand-counted paper ballots are one good way to
achieve that. However, there are voting environments where they are
problematic. Specifically, because the time to hand-count ballots scales
with both the number of ballots and the number of contests, in places like
California where there a large number of contests per election it can be
difficult to do a complete hand-count in a reasonable period of time.

One good alternative is hand-marked optical scan ballots which are then
verified via a risk limiting audit ( This can provide a much
more efficient count that still has software independence up to a given
risk level \alpha.


> Scott
> >
> >
> >
> >