OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

election-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Things to do - Requirement Document. Security.

Jason,

	I was asking for the sections in the requirements document. And I do agree
that audit is a security function. First let us identify *all* requirements
and then worry about categorizing them. If we can categorize them as we add
the requirements, it is well and good, but the emphasis is to get *all*
angles.

	We have (at least) two issues on encryption - wire/transport security and
document security. I see no way other than to specify that *all* election
related transactions be carried over SSL/TLS. This would satisfy the wire
security. The other side of security is the field level encryption. We also
need to address non-repudiation across all system components.

cheers & have a nice weekend

|-----Original Message-----
|From: Jason Kitcat [mailto:jeep@free-project.org]
|Sent: Friday, June 22, 2001 7:45 AM
|To: election-services@lists.oasis-open.org
|Subject: RE: Things to do - Requirement Document. Security.
|
|
|Hi,
|
|>	Good comments. Here are my observations.
|>
|>	1.	We would add audit as another section. While we are
|>on this subject,
|>what other sections do you see for the req document ?
|
|Another section where? To the document or to security? I personally
|think it has to be addressed with security.
|
|>	2.	The partial encryption is to *selectively* expose
|>information. For
|>example for statistics purpose, one might have to look at the county
|>information, but not the actual voting. So there could be two
|encryptions -
|>one for county and one for actual vote. Again, the point is, we should not
|>make it *impossible* to do partial encryption. For all we know,
|we might do
|>full encryption.
|
|Some confusion I think.... we need to distinguish between
|communications/transport level encryption and data/information level
|encryption. I was talking about transport level but you clearly
|aren't ;-)
|
|But I agree, keep the options open.
|
|regards,
|Jason
|
|--
|            The FREE e-democracy project
|----------------------------------------
|            http://www.free-project.org
|----------------------------------------
|  secure, private and reliable Free Software
|

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC