Bureaucrats, developer, Administrators
9,842
edits
Board vote code: Difference between revisions
Good point, this would render the system near untamperable beyond reasonable doubt
m (fix linking to disinfopedia) |
(Good point, this would render the system near untamperable beyond reasonable doubt) |
||
| Line 31: | Line 31: | ||
An improvement to this system would be to sign encrypted election records with a secret key stored on the server. With the current system, if someone's vote disappears, the administration could conceivably claim that they are making up the story. If they have a signed record to prove that they did actually vote, it means that either the votes were tampered with or that the claimant hacked into the server and obtained the private key. Either case should be sufficient cause to declare the election invalid. | An improvement to this system would be to sign encrypted election records with a secret key stored on the server. With the current system, if someone's vote disappears, the administration could conceivably claim that they are making up the story. If they have a signed record to prove that they did actually vote, it means that either the votes were tampered with or that the claimant hacked into the server and obtained the private key. Either case should be sufficient cause to declare the election invalid. | ||
:Good point, this would render the system near untamperable beyond reasonable doubt --[[User:Juxo|Juxo]] 13:49, 27 Jun 2004 (EEST) | |||
Secrecy, that is preventing anyone from discovering who voted for who, is also very important. My original idea was to preserve secrecy except from the private key holder. I later realised that simply leaving the username off the encrypted records would discourage casual snooping by the private key holder. It also makes it harder for a developer to breach secrecy by reading the temporary files input to GPG. I made no effort to prevent a determined private key holder from working out who voted for who, although this may be possible in principle. | Secrecy, that is preventing anyone from discovering who voted for who, is also very important. My original idea was to preserve secrecy except from the private key holder. I later realised that simply leaving the username off the encrypted records would discourage casual snooping by the private key holder. It also makes it harder for a developer to breach secrecy by reading the temporary files input to GPG. I made no effort to prevent a determined private key holder from working out who voted for who, although this may be possible in principle. | ||