[nSLUG] Evoting Rant
nslug at fop.ns.ca
Thu Oct 18 09:18:52 ADT 2012
On Wed, 17 Oct 2012, Daniel AJ Sokolov wrote:
> If I was going to evote I'd have to trust the HRM, otherwise there would be
> no point in voting (which is why I do not vote for the first time in my
So let me see if I understand what you're saying: you're not sure if you
trust the certificate from HRM so you're calling HRM to make sure the
certificate is correct? I think you have misunderstood the technical
details of SSL and exactly what it is for: the trust is *not* placed at
the end of the certificate chain (in this case, HRM); the trust is in the
*root* certificate, in this case, Verisign. If you wish to validate the
certificate you are absolutely missing the point if you are depending on
the certificate creator as the point of trust is when the certificate is
signed. When the certificate is verified by the browser it does not go to
vote.halifax.ca to verify it, it goes to the owner of the root certificate
that verified it. Does that make any more sense?
> My fear is that some criminal might have set up a server that purports to be
> the evoting server, especially since there is no DNSSec and (what seems to
> be) the HRM Election Office itself tweeted this:
This, on the other hand, is a valid concern. According to whois records
the technical contact for halifax.ca is:
Name: Mr Phillip Evans
Postal address: 5251 Duke St
Halifax NS B3J3A5 Canada
Email: evansp at halifax.ca
On a side note, of interest from the whois records:
> So I ask the election authority to confirm the fingerprint of the SSL
> certificate that I can see in my browser (SHA-1 or SHA-256) of both domains
> used in the process. If they are not the correct person to talk to, they
> should redirect me thither.
Why are you expecting an elections officer to know the intricacies of SSL?
If you are technical enough to be concerned about SSL fingerprints I am
baffled why you are not talking to the technical contact for the domain.
> Coming back to the local media: They haven't even told the p.t. constituents
> that HRM has outsourced the election to a Spanish for-profit company that,
> judging by IP-address, has their servers in the Unites States!
> Whatever the company (Scytl) says will be the e-lection result.
And here is another valid issue.
I think you are conflating the technical issues (and I see no reason why
an elections officer should be assumed to have a comp sci background, and
personally I think you should have asked for the technical contact rather
than throwing technical questions at the elections officer) with a genuine
political issue regarding the ultimate ownership of the underlying
elections system. In particular, I think you should be considering (as
someone else noted to me in a direct email) the implications of the
PATRIOT Act. You should be asking whether a release has been signed to
permit all the elections data (including personal information) to be
transmitted to a third party in the US, for example.
More information about the nSLUG