[nSLUG] Evoting Rant
Daniel AJ Sokolov
daniel at falco.ca
Wed Oct 17 17:02:13 ADT 2012
On 17.10.2012 11:49, Dop Ganger wrote:
> You stated "They are unable to verify fingerprints of the SSL
> certificates in use", which therefore means the certificate is
> untrusted, yes?
> Or did I misunderstand and you expected the officer to validate the SHA
> and/or MD5 fingerprint? If so, you were calling the wrong people - you
> should call the issuer (Verisign) to validate the fingerprint as they
> are the purported issuer of this certificate. In addition, I highly
> doubt you were talking to the person at HRM who requested the
> certificate, and even then if it is an issue of trust the requester is
> not the person to ask to verify as they are not the trusted party in
> this instance.
If I was going to evote I'd have to trust the HRM, otherwise there would
be no point in voting (which is why I do not vote for the first time in
My fear is that some criminal might have set up a server that purports
to be the evoting server, especially since there is no DNSSec and (what
seems to be) the HRM Election Office itself tweeted this:
So I ask the election authority to confirm the fingerprint of the SSL
certificate that I can see in my browser (SHA-1 or SHA-256) of both
domains used in the process. If they are not the correct person to talk
to, they should redirect me thither.
Coming back to the local media: They haven't even told the p.t.
constituents that HRM has outsourced the election to a Spanish
for-profit company that, judging by IP-address, has their servers in the
Whatever the company (Scytl) says will be the e-lection result.
More information about the nSLUG