On Sat, 2019-07-27 at 11:40 +0100, Roy Bamford wrote: > On 2019.07.27 07:21, Michał Górny wrote: > > Hi, > > > > (CC-ing all parties interested in technicals, plus main consumers) > > > > I'd like to work on providing new web-based frontend for voting > > in Gentoo elections. It would replace votify in the pipeline but > > generate countify-compatible data, so the votes would still be counted > > using old tooling. > > > > > > Goals > > ===== > > The goals for the new system would be to: > > > > 1. Improve privacy of votes by removing connection between voters > > and their confirmation IDs ASAP (not storing them unencrypted > > on permanent storage at all). > > > > 2. Unifying voting mechanism for developers and non-developers. > > The latter currently vote by mail and get their votes manually hacked > > into the system. > > > > 3. Removing dependency on dev.gentoo.org shell access for voting. > > This > > is implied by 2. but should also support any future efforts of > > reducing > > reliance on the single system in Infra. > > > > 4. Make it possible to use the system for unofficial elections (e.g. > > team lead votes). Currently setting a vote up requires root > > privileges > > on dev.g.o which is not really feasible. > > > > 5. Election Officials shall have a means to determine the voter turmout > from time to time while the election is in progress. > > Today, its carried out by the -infra contact and publicised in reminders > to vote, IRC channel topics etc Oh, I though those mails are directed to all listed officials for an election and assumed this is nothing new to solve. Sure, this is entirely feasible. > > [snip] > > > Before the election starts, election officials prepare a list of voters > > containing their e-mail addresses and OpenPGP key fingerprints. They > > run a script which creates tokens for all voters, encrypts them, then > > mails them to voters. > > How do we deal with expired public keys? When token mails are generated GPG automatically verifies whether keys are usable. As a result, if someone has an expired key, the script explicitly notes it and returns an error. > > Devs get a warning at commit time before their key expires. Non devs > will not be permitted (by gpg) to sign a ballot with an expired key. > Here, the election officials script will be attempting to make use of > expired keys. > > I can see another requirement ... > 6. At the record date for any election, voters public keys shall be > checked for validity until at least the end of the voting period. > > That will give election officials time to remind the electorate to fix > their keys. You can't sign votes using your key, as this kills the privacy requirement. Instead, we rely on secret token mails being encrypted using voter's key. Key only needs to be valid at encryption time, as you can decrypt messages from the past ;-). -- Best regards, Michał Górny