1) Administrative Updates
* Scheduling of additional STS calls
* TGDC meeting agenda and strategy
2) Discussion of Security and Audit Architecture for IDV Voting Systems
3) Other Items
4) Next call Tuesday, October 31, 2006 at 10:30AM.

• Ron Rivest: NPR has a voting section on "Talk of the Nation" with Gregorio, Doug Jones, Kim Brace, and Jim Dixon today.
• STS Meeting Schedule: Additional meeting dates were fine. Week of Nov. 7, possibly Thursday.

• STS will have a 3 hour block of time to fill. With what? The format is up to the subcommittee.
• Subcommitte chairs are welcome to do overview, any requests to speak would be honored.
• We need to identify big ticket items.
• One thing Security Division has been thinking about is the position paper on stand-alone DREs, overview of IDV DRE systems, and an overview of what requirements would look like. Do we need a resolution for this? Can we find a way to make them better to make them good enough? Make sure we don't slight the usability community. We want to avoid notion that there's competition between usability, accessibility, and security.
• Maybe discussion on end-to-end of verifiable systems since proposed requirements are so different.
• Discussion on wireless piece.
• TGDC has not seen new revision of our outline, so maybe discussion of our overall security architecture.
• Discussion on approaches to paper records and what requirements are going to be. This may be linked to IV systems.
• Timetable when all this takes affect and the affect to systems in the field. (We have to make clear that these changes won't be instant and machines will not have to be certified with these requirements until 2010.) Is this TGDC authority or is the timetable under EAC authority. EAC is saying that VVSG 07 will follow the same path as 05, but no decision. Vendors want to write changes to 07 so might affect timetable. Request to EAC to have a frame-setting presentation at beginning of plenary meeting.
• STS needs to come up with an outline for our session.
• Draft agenda of December meeting to be sent out in a week or so.
• Meeting: reception Sunday night, Dec. 4 will be 8:30-5:00, Dec. 5 will be 8:30-2:00.
• Ron would like to cover security documentation requirements.
• Are we going to present draft resolutions for our list of controversial issues to be discussed? It would be good to prepare them ahead of time.
• We need to make sure we have the right list of things to discuss and priority order. Nelson and Alicia will send a draft of items to be discussed and possible time needed.

• Just written as a thought piece to get through issues to write requirements, doesn't have high-level requirements that we're going to need.
• The goal for the IDV system is to have two computerized systems that are keeping records so both both would have to be compromised for there to be election fraud. Easy lock down for 2nd machine in a more permanent sense, built around open standards. These two machines should be independent with a public interface, open format to talk between two systems.
• Auditing system should be available for more than one election process - is this possible?
• How much would be required of election officials? We want to make as much possible of the auditing process on these IDVs automatic.
• All-electronic voting machines are sensitive to "chain of custody" problems just as paper based systems. Poll workers will handle them as well as stuff from DREs.
• Electronic records are easier to secure and prevent tampering with digital signatures.
• Cryptography doesn't stop all problems, just makes them smaller. Still "chain of custody" issue - need process.
• Digital signatures can be produced on paper records as well, but still need to check manually.
• Paper records definitely burdensome - easier to preserve electronic records.
• Harder to alter electronic records/ballots with signatures whereas you could substitute paper ballots.
• Paper rolls more secure because they are easier to handle, smaller, and can be locked up and protected easily.
• VVPAT records get taken into a canister which remains sealed and you'd have to break seal to compromise. With opscan machines, poll workers handle the records. Main advantage is that rolls are sealed and it's very hard to change one or two ballots you don't like.
• How important is it in electronic records that we destroy order of voting? This is critical. Paper rolls for privacy are not good. We should not follow that example for electronic records. Not a good idea to store in order.
• 99% of time paper rolls not opened. Too easy to make more copies of electronic records and are easier distributed.
• Precedence has been set to shuffle records and that will be expected.
• Absentee ballots should not be associated with poll voting in this context.
• Sharon pointed out that we can not forget usability and accessibility when talking about paper rolls. If VVPAT is only for auditing, HAVA doesn't require same rules.
• VVPAT was rushed into production. HAVA did not require VVPAT, it was done as an add-on. We need more requirements to improve it. Should we do performance benchmarks?
• If we propose all electronic systems, how will they be tested/vetted? We need to do prototypes?
• We need to write standards and requirements to push the vendors to do better.
• These IDV standards are new architecture, not represented by thing on the market.
• John K - We need to answer the question, "If you had to build an all-electronic voting system with current technology, what would it look like?"
• You need to make sure there's a meaningful audit of the election process that could be done with the electronic records.
• We need to come up with requirements for a couple protocols.
• If we go with the electronic approach, vendors must meet same requirements posed on paper ballot machines.
• TGDC should talk to EAC about our requirements.
• IDV and usability testing should be more often than every four years.
• IDV systems should be a bridge for people who don't want to deal with paper to get to end-to-end systems.
• Concern about two black boxes auditing each other.
• Maybe we should think about no electronic standards in 07 and do crypto standards in the next version.
• David W - Worried about standardizing IDV. Don't think we know how to make them safe or certify them. Thinks that software dependent IDV systems are unlikely to be independent. No clue how to verify externally that they are independent. We do not know how to build a certification system for them. Crypto end-to-end would be better. Crypto systems are not totally electronic. The only systems we have a chance of certifying are the software independent ones.
• IDV systems have procedural issues. Need independent auditing.
• John W - Suggest we have a TGDC resolution saying we can't write these requirements now, we need to research beforehand. We haven't seen the marketplace come up with any approaches.
• Election officials asked for an alternative to VVPAT. We should at least try before saying we can't do it.
• David W - Group has developed a prototype of an IDV system. Key component is how do we certify it. Can see how to certify end-to-end systems but not IDV.
• Must do interoperability testing.
• John K - Needs feedback. Should we be pursuing writing standards for VVSG 2007 that include all-electronic IDV systems, and if not, what is the alternative?
• Alica - Feels that everyone agrees that we can write requirements for end-to-end, but we need a bridge, either untestable IDV requirements or insufficient DRE requirements or paper?
• John K - Doesn't think we can write end-to-end requirements for 2007. Maybe write process.
• Ron - Maybe we should focus on processes and testable requirements we are providing for paper based systems.
• John K - What we need to do is write requirements for the paper based systems we know how to certify and come up with a process that new profiles can be certified. Some profiles are just not workable.