Cosource Proposal: Implement vote-checking network
                     for eVote®/Clerk
 
 eVote®/Clerk provides a non-hierarchical
 decision-making system for online groups.  Currently,
 two user interfaces, or "eVote" interfaces, are
 implemented: telnet; and email. The email interface
 allows any member of an email list to administer a poll
 for the group that is meeting via the email list. Only
 the list members can vote.
 
 The email interface also enables anyone with an email
 list to generate and administer an internet petition
 that is served from the WWW as well as via email.  A
 petition can be administered by a collaborating group
 that meets via email list.  Petitions can be signed, or
 voted on, by anyone with an email address.  The
 petition facility speaks several languages and new
 languages are easily added.
 
 These interfaces are served by "The Clerk", a
 specialized database server, or vote-server, that
 totally automates the evolution of schema, and thereby
 takes all the responsibility and power of the vote
 system away from the system administrator, making it a
 best-possible candidate for administering secure
 elections.
 
 This system is unique among online voting systems in
 that it is the only system that addresses the potential
 of attack from the administrator.
 
 The user interfaces are released as open source
 software but, because The Clerk's main feature is that
 it protects the users from the administrator, the
 source is secret (so far) and is only in the hands of a
 few trusted volunteers.
 
 The author of the software, Marilyn Davis, wishes to
 release the source for The Clerk, and the eVote
 interfaces, under GPL, but, in order not to compromise
 the accountability of polls, the author needs to have a
 network layer in place to do so.  This is the
 specification of that network/security layer.  It's
 implementation will not only provide absolute
 accountability for online voting, but also will trigger
 the release of the source code for The Clerk, and GPL
 the entire project.
 
 If anyone is interested in developing the
 user-interface for this specification, please collect
 the current source code from:
 http://www.deliberate.com.  Marilyn Davis is available
 to answer questions and check internal specifications
 and code at evote-workers@deliberate.com, a majordomo
 email list.  Please join.
 
 Also, please comment on and improve this specification.
 
 ===== ====== ======= =============
 Clerk Source Release Specification
 ===== ====== ======= =============
 
 This specification describes the network layer required
 to release the source to The Clerk so that the accuracy
 of secret-vote polls, is guaranteed.
 
 This specification makes no attempt to guarantee the
 privacy of such polls.  Privacy will be the subject of
 a future release.  This current work is designed to be
 the minimum required for absolute accountability of the
 polls; so that the source can be released and the free
 software communities can develop guarantees against
 attacks on privacy.
 
 This specification is in three parts: the "External
 Specification", which describes the users' view; the
 "Non-Repudiation Specification", which details the
 design of the non-repudiation feature; and the
 "Internal Specification", which specifies the
 implementation design.
 
 ----
 
 External Specification -- the user's view
 ======== =============
 
 The current version, eVote®/Clerk 2.5, is an email
 interface for voting.  When there is a non-public poll,
 i.e., one where the votes are not public, the user who
 initiated the poll sends an "eVote close" command in an
 email message to close the poll to further voting.
 eVote sends back a confirmation message, which contains
 a random key in the subject line.  When the message is
 returned, the software marks the poll as closed and
 sends the final tally to the list members.
 
 For the GPL-ed version, the "eVote close" command on
 non-public poll types will be significantly enhanced to
 spark a human/computer collaboration that effects a
 secure cross-network check of the vote data that
 involves three eVoted facilities.  In the discussion
 below, eVoted facilities will be on the domains:
 alice.net, bob.net and similar names.  The poll
 administrator will be jane@doe.net who is a member of
 the lwv-meeting@alice.net email list, which is an
 eVoted email list.
 
 The new "eVote close" command will accept an optional
 argument: the warning-time:
 
 eVote close 48
 
 The default warning-time will be 24 hours.
 
 In response to a "eVote close 48" sent to the list
 address, lwv-meeting@alice.net, by jane@doe.net, the
 originator and administrator of the poll, eVote will
 generate the following confirmation and verification
 request.  The headers are explained below.
 
 > ---  start of message
 > To: jane@doe.net
 > From: lwv-meeting-eVote@alice.net
 > Reply-To: theclerk@bob.net
 > Subject: CONFIRM: Ax.|i^ Re: President
 > 
 > Thank you for your "close 48" message on:
 > 
 >    "President"
 > 
 > To confirm and verify the poll, please reply-to this
 > message and include this entire unaltered message in
 > your reply.  Notice that your message will
 > automatically be sent to theclerk@bob.net for
 > external verification of the votes.  If you wish, you
 > may, instead, forward the message to one of the
 > following addresses for verification:
 > 
 >   theclerk@charlie.net
 >   theclerk@dana.net
 >   theclerk@emily.net
 >   theclerk@fred.net
 >   theclerk@gary.net
 > 
 > The Clerk at the site you choose will send a final
 > reminder to list members and will check the accuracy
 > of the count.  48 hours after this is successful, the
 > poll will close.
 >
 > The following text is the public encryption key for
 > this poll.  eVote will use it to ensure the integrity
 > of the data.  You don't need to be concerned about
 > it.
 >
 > [The poll's public encryption key is inserted here.]
 > 
 > --- end of message
  
 > From: lwv-meeting-eVote@alice.net
  
 The From: shows that the message is generated by eVote
 for the lwv-meeting email list.  Mail received at
 lwv-meeting-eVote@alice.net is usually aliased to the
 list's owner.
 
 > Reply-To: theclerk@bob.net
 
 jane@doe.net's mail reader should send the message to a
 sibling eVote facility, either at bob.net or she might
 decide to forward it to one of the addresses listed in
 the message body.
 
 The mail aliases for verification are "theclerk" but it
 is really eVote, the user-interface, that performs the
 poll verification, not the remote Clerk.  "Theclerk"
 alias is used because the "eVote" alias is
 conventionally used for receiving petition signatures.
 
 > Subject: CONFIRM: Ax.|i^ Re: President
 
 When theclerk@bob.net, an address at the sibling
 eVote/Clerk site, receives the message, it communicates
 with eVote/Clerk at alice.net to check the random
 confirmation key, "Ax.li^" in the example, and to
 transmit the poll data from alice.net to bob.net.
 eVote/Clerk at bob.net checks the tally and sends each
 participant the following "CLOSE
 WARNING:/pending-receipt" message.  Note that the eVote
 software already provides the text in this receipt
 except for the "Verifying This Pending Receipt"
 section.
 
 > --- start of message
 > 
 > To: each-lwv-meeting-member@somewhere.net
 > From: theclerk@bob.net
 > Reply-To: lwv-meeting@alice.net
 > Subject: CLOSE WARNING: President
 > 
 > The poll on:
 > 
 >     President
 > 
 > will close on Tuesday Jan 23, 2010 at 06:00 PST.  
 >
 > Please save this pending receipt message in its
 > entirety until everyone is satisfied that the poll
 > was conducted accurately.
 >
 > ==== ====
 > POLL TEXT
 > ==== ====
 > 
 > Please choose one.
 >
 > ======= == ===
 > RESULTS SO FAR
 > ======= == ===
 > 
 > Of the 340 people currently subscribed to the
 > lwv-meeting list, 263 have voted so far.
 > 
 > Participants are asked to vote YES on 1 of the
 > following choices:
 > 
 >   Your  On      
 >   Vote  Choice  
 > 
 >     no  1. Lynn Anfanger 
 >     no  2. Alice Bush 
 >    yes  3. Jean Kennedy 
 >     no  4. Abstain 
 > 
 > each-lwv-member@somewhere.net, you have used 1 of
 > your 1 YES votes.
 > 
 > ======= ====
 > PRIVATE POLL
 > ======= ====
 > 
 > This is a "private" poll; ballots are secret.
 > 
 > 
 > == ====
 > TO VOTE
 > == ====
 > 
 > | 1.  Send a message to lwv-meeting@alice.net.
 > |
 > | 2.  Your subject must be "President".
 > |
 > |      * * * * * * * * * * * * * * * * * * * * * * * *
 >  ----> *  NOTE:  These two steps are easy.  Just use *
 >        *         your reply-to key on this message!  *
 >        * * * * * * * * * * * * * * * * * * * * * * * *
 > 
 >   3.  Your message *must* start with the word,
 >       "eVote", or your vote will be sent to the
 >       entire > lwv-meeting list and it won't be
 >       counted!
 > 
 >       To vote yes on choice 2, your message should
 >       say:
 > 
 >           eVote 
 >           2. y
 > 
 >       Every choice you don't vote "yes" on will
 >       receive an automatic "no" vote.  
 >
 >   4.  If your message has a signature, or any other
 >   text below your vote, make a line that says, "end"
 >   just after your vote.
 > 
 > ======== ==== ====
 > CHANGING YOUR VOTE
 > ======== ==== ====
 > 
 > You can change your votes while the poll is open by
 > voting again.
 > 
 > 
 > ======== ==== ====
 > REMOVING YOUR VOTE
 > ======== ==== ====
 > 
 > To remove your votes on "President", 
 > send the message:
 > 
 > 	eVote remove
 > 
 > 
 > ====== === ======= == === ====
 > SEEING THE RESULTS OF THE POLL
 > ====== === ======= == === ====
 > 
 > You cannot see the vote tally until the vote closes.
 > Only jane@doe.net, the originator of this poll, can
 > close it.
 > 
 > 
 > ==== ===========
 > MORE INFORMATION
 > ==== ===========
 > 
 > To receive more information about "President":
 > 
 > 1.  Send a message to:
 > 
 > 	lwv-meeting@alice.net
 > 
 > 2.  Your subject must be:
 > 
 > 	President
 > 
 > 3.  To see your own vote and this information again,
 >     send the command:
 > 
 > 	eVote info
 > 
 > For a general explanation of eVote/Majordomo, use any
 > subject line, and send the message:
 > 
 > 	eVote help
 > 
 > 
 > ========= ==== ======= =======
 > VERIFYING THIS PENDING RECEIPT
 > ========= ==== ======= =======
 > 
 > To verify the validity of this pending receipt
 > message, forward this message, in its entirety, to
 > any of these addresses:
 > 
 >   theclerk@charlie.net
 >   theclerk@dana.net
 >   theclerk@emily.net
 >   theclerk@fred.net
 >   theclerk@gary.net
 > 
 > The following text, although it looks like nonsense,
 > allows any of the addresses above to check that this
 > message has not been altered and is exactly what was
 > reported by the eVote facility at alice.net.
 >
 > ----
 >
 > [This poll's public encryption key and the
 > private-key encrypted non-repudiation MAC for this
 > message are here.]
 > 
 > --- end of message
 
 When it comes to be poll-closing time, alice.net
 generates the following message for the poll's
 originator:
 
 > ---  start of message
 > 
 > To: jane@doe.net
 > From: lwv-meeting-eVote@alice.net
 > Reply-To: theclerk@charlie.net
 > Subject: CONFIRM: Bx.|i^ Re: President
 > 
 > The poll on:
 > 
 >    "President"
 > 
 > is now closed but has not been verified or announced.
 > To do so, your help is needed.
 > 
 > Please reply-to this message.  
 > 
 > Notice that your message will automatically be sent
 > to theclerk@charlie.net for external verification of
 > the votes.  If you wish, you may, instead, forward
 > the message to one of the following addresses:
 > 
 >   theclerk@dana.net
 >   theclerk@emily.net
 >   theclerk@fred.net
 >   theclerk@gary.net
 > 
 > The Clerk at the site you choose will send the final
 > tally to each of the list members.
 > --- end of message
 
 In the case that jane@doe.net doesn't respond to this
 message, any member who inquires about the status of
 the poll receives this message until someone finally
 triggers the verification and announcement of the poll.
 
 The third Clerk sends the "CLOSE"/final receipt message
 to each member of the list. Again, the current eVote
 software provides this receipt except for the
 "Verifying This Final Receipt" section.
 
 > To: each-lwv-meeting-member@somewhere.net
 > From: theclerk@charlie.net
 > Reply-To: lwv-meeting@alice.net
 > Subject: CLOSE: President
 > 
 > 
 > jane@doe.net has closed the poll on 
 > 
 > 	President.
 > 
 > This poll was initiated on Thu, 11 Jan 2010 11:16:57
 > -0800
 > 
 > Please save this final receipt message in its
 > entirety until everyone is satisfied that the poll
 > was conducted accurately.
 > 
 > ==== ====
 > POLL TEXT
 > ==== ====
 > 
 > Please choose one.
 > 
 > =======
 > RESULTS
 > =======
 > 
 > Of the 340 people subscribed to the lwv-meeting list
 > when this subject was closed, 313 of them voted.
 > 
 > Participants were asked to vote YES on 1 of the
 > following choices:
 > 
 >   Yes    No     On      
 >   Votes  Votes  Choice  
 > 
 >    85    228    1. Lynn Anfanger 
 >   101    212    2. Alice Bush 
 >   117    196    3. Jean Kennedy 
 >    10    303    4. Abstain 
 >
 > each-lwv-meeting-member@somewhere.net, you can see
 > your own vote, and this information again by sending
 > email to lwv-meeting@alice.net with the subject
 > "President".
 > 
 > Your message should say:
 > 
 >    eVote stats
 > 
 > 
 > ======== === ====
 > DELETING THE DATA
 > ======== === ====
 > 
 > The originator of this poll, jane@doe.net, can drop
 > this poll from the database after it has been closed
 > for 28 days by sending the command:
 > 
 >      eVote drop
 > 
 > Anyone can drop this poll after it has been closed
 > for 180 days.
 > 
 > ========= ==== ===== =======
 > VERIFYING THIS FINAL RECEIPT
 > ========= ==== ===== =======
 > 
 > To verify the validity of this receipt, forward this
 > final receipt message, in its entirety, to any of
 > these addresses:
 > 
 >   theclerk@charlie.net
 >   theclerk@dana.net
 >   theclerk@emily.net
 >   theclerk@fred.net
 >   theclerk@gary.net
 > 
 > The following text, although it looks like nonsense,
 > allows any of the addresses above to check that this
 > message has not been altered and is exactly what was
 > reported by the eVote facility at alice.net.
 >
 > ----
 >
 > [This poll's public encryption key and the
 > private-key encrypted non-repudiation MAC for this
 > message are here.]
 > 
 > --- end of message
 
 Non-Repudiation Specification
 =============== =============
 
 The point of non-repudiation in the networked
 eVote/Clerk facilities is not only to prevent eVote
 installations from denying the email they send, but
 also to foil users who claim false receipts.
 
 The Scheme
 --- ------
 
 The eVote®/Clerk network mechanism is a procedure for
 verifying a non-public poll, i.e., guaranteeing its
 accuracy.  Achieving this degree of accountability
 requires the participation of the users.
 
 When the user/administrator sends an "eVote close"
 command to close a private poll at the alice.net eVoted
 site, she is sent a message instructing her to forward
 this message to another eVote facility to start the
 confirmation and verification process, and to achieve
 closure.
 
 The confirmation message has a random key to confirm
 the user's intention, and a public encryption key to
 verify the poll.  A different public/private key pair
 will be generated for each non-public poll.  These keys
 are for non-repudiation only, not to ensure privacy.
 
 The user chooses the eVote facility at bob.net and
 forwards the confirmation message to theclerk@bob.net.
 
 Bob.net generates a random message, encrypts it with
 the poll's public key and sends this, along with the
 forwarded confirmation message back to
 theclerk@alice.net.
 
 Alice.net checks the random key of the confirmation
 message to verify that the communication from bob.net
 was the one initiated at alice.net and by the
 appropriate user.
 
 Alice.net also decrypts the random message and sends
 that back to bob.net to verify the public/private key
 pair.  With this verification message comes the vote
 data needed so that bob.net can send the "CLOSE
 WARNING" with the pending receipt to each voter before
 the poll closes.
 
 The data message sent from alice.net to bob.net
 contains a data package for each voter.  Each voter's
 package has two parts.  The first part is the the email
 address and vote.  These are sent as clear data.  The
 second part is the non-repudiation MAC for the first
 part.  The MAC is encrypted with the poll's private
 key.
 
 Each voter's package is the "pending receipt" for that
 voter.  It is embedded into the "CLOSE WARNING" message
 that is sent to that voter.
 
 Bob.net checks that alice.net was able to decrypt the
 random message; checks the statistics on the poll from
 the clear data; and verifies each voter's data package
 by decrypting and checking the MAC using the public
 key, still remembered from the confirmation message.
 Bob.net sends each voter her vote as clear data, and
 that voter's encrypted MAC.
 
 The process is repeated after the poll is closed so
 that each voter receives a "CLOSED" message which
 contains, besides the voter's final receipt, the final
 tally for the poll.
 
 Verification 
 ------------
 
 Any voter will be able to forward her "CLOSE
 WARNING/pending receipt" or her "CLOSE/final receipt"
 message to any of the Clerk addresses and, if the MAC
 and the key pair are verified, the following message
 will be returned:
 
 > This message is your verification that the eVote
 > receipt you sent, which is copied below, is
 > authentic.
 
 Or, if the receipt cannot be validated, an advisory
 message will be sent to the voter, to the owner of the
 email list, lwv-meeting-owner@alice.net, and to
 eVote-owner@alice.net.  The message will read:
 
 > The eVote receipt you sent, which is copied below,
 > has been altered and cannot be verified.
 
 When bob.net verifies a receipt, it sends a random
 message which is encrypted with the poll's public key,
 to alice.net.  Alice.net returns the decrypted message
 to verify the poll's key pair.  Bob.net checks that
 returned message and checks that the MAC is correct for
 the vote.
 
 Internal Specification -- software design
 ======== =============
 
 Each Clerk will have a new address: theclerk@alice.net
 for the purposes of accomplishing both this interaction
 with users, and for communicating between eVote/Clerk
 facilities.  We will not build a Secure Socket Layer in
 this release.
 
 The reasons for sticking to email are:
 
 1.  Using a SSL for the communication between Clerks
 will not secure privacy because the voting takes place
 in the clear.
 
 2.  Sticking to the email interface means that almost
 all the coding for this specification will take place
 in the user interface where the source code is already
 released.
 
 3.  The vote-checking will be done by a remote user
 interface and will not involve the remote Clerk at all,
 leaving closed a doorway to possible abuse of the
 remote Clerk's data.
 
 4.  The division of labor that this architecture
 provides allows almost all the work of to be done by
 someone other than Marilyn Davis.
 
 Changes in The Clerk will be minimal:
 
 1.  Change a line of code so that information about
 private polls is released to the user interface, and
 therefore to the user interface programmer.  The
 interface programmer can use the same calls that are
 currently used for public polls.
 
 2.  Support the following calls:
 
 typedef enum {NO, YES, MAYBE, PUNT, DROPIT} YESorNO;
 typedef enum {NOT_OK, OK, UNDECIDED, PROBLEM, STOP,
               CANT} OKorNOT;
 
 YESorNO is_warning_done(ITEM_INFO * p_item);
 
  // Checks if the warning data has been sent to a
  // remote eVote/Clerk facility yet.  
  // Returns YES if the warning has already happened.
  //          NO if it hasn't.
  //        PUNT if called on a public item.
  
 OKorNOT warning_sent(ITEM_INFO * p_item, 
                      time_t time_to_close);
  // Notes that the warning data has been sent and sets the
  // closing time of the poll.
 
 YESorNO is_close_done(ITEM_INFO * p_item);
 
  // Checks if the data has been sent to a remote Clerk
  // since the poll has closed.
  // Returns YES  if the final has been sent.
  //          NO  if it has not been sent.
  //        PUNT  if called on a public item.
 
 OKorNOT close_sent(ITEM_INFO * p_item);
  // Notes that the final data has been sent to a remote
  // Clerk.
 
 OKorNOT store_key_pair(ITEM_INFO * p_item, 
                        char *private, char * public);
 
  // Stores the key pair strings for the item.  The
  // length of the keys is not limited.
  // Returns OK  if it stored the key pair.
  //    PROBLEM  if the item is PUBLIC.
  //     NOT_OK  if a key pair is already stored for 
  //             this item.
 
 OKorNOT get_key_pair(ITEM_INFO * p_item, 
                      char *private, char * public);
  // Copies the key pair into the addresses given.
  // Returns OK  if it was successful.
  //    PROBLEM  if the item is PUBLIC.
  //     NOT_OK  if a key pair has not yet been stored 
  //             for this item.
 
 ----
 
 I'll provide these Clerk-based facilities as soon as
 possible in a new private development release: 3.501.
 
 ----
 
 Marilyn Davis, Ph.D            marilyn@deliberate.com   
 Author of eVote®/Clerk                 
 http://www.deliberate.com             -1 650 965-7121