• bss03@infosec.pub
    link
    fedilink
    arrow-up
    11
    ·
    8 months ago

    This is inconsistent with the preservation of democracy, as it allows a third party to confirm exactly who you voted for, and reimburse or punish you for it.

    Mainly you’ll have to tweak point 3, to use existing E2E.verified voting approaches which are only tangentially related to asymmetric encryption (and private keys).

    We might use asymmetric encryption and private keys for some parts of identity verification, but you wouldn’t sign your ballot with it.

    • vane@lemmy.world
      link
      fedilink
      arrow-up
      1
      arrow-down
      2
      ·
      edit-2
      8 months ago

      This is just the problem between the chair and keyboard how to implement the rest of encryption to enforce anonymity of the vote.

      My point was that you can’t do symetric key efficiently when you don’t have assymetric key confirmed by both parties.

      I agree that for example you can vote anonymously just by using dedicated software on your computer that will identify you and then sign and encrypt payload that you can send anonymously from wherever you want - even from the moon. Just make sure we don’t include any metadata in signed and encrypted file.

      And actually I am missing point 8

      1. All software dedicated to this process must be open source
      • bss03@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        8 months ago

        This is just the problem between the chair and keyboard how to implement the rest of encryption to enforce anonymity of the vote

        That’s not what that phrase means. Ensuring anonymity requires a fundamentally different process than signing with an asymmetric key – involving zero-knowledge proofs, a separate theory from cryptography. A PEBCAK would be when the process is correct and unchanged, but the human (in the chair, at the keyboard) does something contrary (or otherwise inconsistent) with the process.

        And yes, the software must be distributed consistent with the OSI’s definition of open source. (Or consistent with the Debian Free Software Guidelines, which are older but substantially the same, even if it is not packaged for Debian.)