Date: prev next · Thread: first prev next last
2011 Archives by date, by thread · List index

Re: [steering-discuss] About elections


Norbert Thiebaud wrote:
On Fri, Jun 10, 2011 at 4:07 AM, Michael Meeks <> wrote:
       I strongly suggest we simply copy the GNOME process here; this
generates a unique random key per person which is mailed out, and used
instead of a name when voting; thus the voting record can be published,
and independently analysed while keeping it anonymous (outside of the MC
that is).

Just to make sure I understand it correctly:
it is 'anonymous' but each voter know _his_ anonymous token and
therefore can verify that his vote has been recorded accurately, by
cross-checking the published details-values right?

I can explain the mechanism.

Before the election, a unique token is generated for every voter, and
stored with their email address. This token is mailed out to the voter.
Obviously, since these are stored together, there is no anonymity at
this point.

When I vote, I use my email address and this token to authenticate. Then
I'm brought to a page where I can order the candidates in order of

On successfully voting, a unique anonymous token is created, and stored
in an anonymous token table. This token is used (along with a
preference) to identify which candidates I voted for, and in what order.
The temporary token associated with the email address is at this point
deleted, leaving no way to connect the email address to the anon token.
Then we communicate the anonymous token to the voter, and tell him to
write it down somewhere so that he can check his vote later.

At the end of the election, this does leave us some standard election
type stuff you can do:
* we can tell whether someone has voted or not (but  not how they voted)
by checking the temporary auth tokens still left in the database.
* We can publish the ballots, identified by the anon token, so anyone
can check the results, and check their own ballot, but not how others voted.

and that is the basis of the temper proof mechanism.

Yes, basically.

There are of course security weak-points here. The first and weakest is
the voter's email client: if I gain access to the voter mail, I can vote
in the place of someone using their email & token. The second is the
database itself: if I can get access to the authentication tokens and
the electorate, I can vote for anyone at all.

In principle, we can address the first with gpg, but not everyone
uploads a pgp key. The latter implies trusting the administrators of the
system to be honest. There are ways to encrypt the entire chain with
private key cryptography, but for us that would have complicated the
voting process for a substantial number of people, and been overkill.

It is incumbent on each member to make sure that he received his token
and that is vote is correctly counted.

Yes - we can of course resend tokens, and we announce the tokens have
been sent publicly. Until someone votes, we can get & resend the
temporary token easily.

(that his make sure that his
email didn't get intercepted somehow, or that the MC did not received
a spoofed email).

Yes, this is the weak point, as I said. pgp signed proves providence,
but doesn't prevent interception. pgp encryption would do the latter,
but not the former.

I think that pgp/gpg-signing these email would remove some possibility
to interfere with the process.

You would also need to pgp encrypt the temporary token with the voter's
public key to ensure that the election administrator can't vote on
behalf of people.

OpenSTV is GPL, but only available for download for a fee.

Really? News to me! It wasn't up until OpenSTV 1.6. I'd be happy to
share my copy with anyone who needs it.

Ooh: I just saw this on the openstv blog:

If you have <=10 candidates and <=1000 voters, you can do the voting
online, with hosted OpenSTV.

It would be nice to find a way for anyone, or at the very least for
Members, to be able to use the raw result and re-calculate the result
for themselves...

Why not buy one copy of the source code and share it among OOo members
who don't want to pay $5 to Jeff?

PS: Not that I am overly concerned about election tempering... but as

Funny - I *just* realised that you meant "tamper" - I honestly thoughht
you wanted to "temper" (ie harden) the process. Sorry - that just amused
me - not picking on your grammar or anything.


Dave Neary
GNOME Foundation member

Unsubscribe instructions: E-mail to
Posting guidelines + more:
List archive:
All messages sent to this list will be publicly archived and cannot be deleted


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.