The election officials are divided into two separate organizations: the Registrar of Voters and the Election Board. The Registrar of Voters is responsible for certifying who is allowed to vote. He has his own X.509 key pair, which is semi-permanent. The Election Board is responsible for handling and publishing the ballots. It also has has a X.509 key pair, which is different for each election.
The Registrar of Voters issues Ballot Tickets to known voters, which prove to the Election Board that the voter is qualified to vote. The Ballot Ticket is kept with the ballot. Voters need to trust that the Registrar of Voters will not keep a record of which Ballot Ticket was issued to which voter (except in special cases), so that the ballot can be secret.
When the voter registers, he creates a key pair which he uses to produce a Certificate Signing Request, which contains the public key from the pair. If the Registrar of Voters is satisfied with the prospective voter's credentials, he signs the CSR, producing a X.509 certificate. The Registrar keeps one copy and returns another to the voter. For perfect resistance to election fraud the voter should produce the private key; however, it's a fact of life that some voters may need help in forging a private key. In this case the Registrar of Voters promises to retain only the certificate, not the private key.
This is the list of registered voters. It needs these fields; those marked with (*) can be seen at any time by the general public.
Field | Description |
---|---|
Name (*) | Full name of voter |
Name Credential | Evidence given by the voter that he has the right to use that name. |
Address (*) | It is traditional to list the voter's point of physical presence. |
Credential | Evidence given by the voter that he meets the qualifications for voting: typically, evidence of owning or renting residential property within the jurisdiction, or service by a residential-type business such as the phone company. If, as is likely, voters often offer several credentials, this information would need its own table. |
E-mail Address | In case of a dispute, the Registrar of Voters will notify the voter by physical mail at the alleged residence address, and by e-mail if that address is provided. |
Status (*) | Indicates if the person voted. |
Disputed (*) | Boolean, true if the validity of the registration is being disputed. |
Ballot_Ticket | Only for non-secret ballots, the Ballot Ticket (see below) is saved here. The ballot is non-secret if the person's registration is disputed and not resolved by election day. |
Certificate | The Voter Registration Certificate. |
It eventually is appended to the ballot and uniquely identifies it. Its major field is a random but unique number (encoded as text); in addition, most jurisdictions will want another field indicating the election precinct to which the voter belongs, so the ballots can be grouped by precinct. (That feature is not included in this demo.)
On the day of election, the voter alleges his identity to the Registrar of Voters by presenting his X.509 Registration Certificate and a signature made with his private key. If the unique identifier from the certificate is in the Registration Table, the Registrar sends back a Ballot Ticket, which is another X.509 certificate including a separate unique identifier. The Election Board believes in this certificate and accepts a ballot to which it is attached.
Only for non-secret ballots, the Ballot Ticket identifier is recorded in the Voter Registration Table, so if a disputed registration later goes against the voter the ballot can be found and removed; otherwise, the Registrar promises to forget the relation between the voter and the Ballot Ticket.
To vote, the voter creates a key pair and a
Certificate Signing Request (which uses a common name of Anonymous
Voter, Secret Ballot
). He fills out the ballot and attaches the
Signing Request and his Ballot Ticket. If the Ballot Ticket is valid, the
Election Board signs the request and sends back the certificate,
concatenated with the Ballot Ticket certificate and a copy of the ballot
itself, all signed with the Election Board's private key.
The Election Board's software checks the ballot for obvious or possible errors and brings them to the voter's attention. An invalid ballot (e.g. voting for two candidates) will not be accepted until the voter fixes it.
The voter is advised to save the signed ballot in case of election fraud. By the Election Board's signature he can prove that the ballot was cast, even if it disappears and the Election Board tries to repudiate it, and possessing the private key he can prove that he held the Ballot Ticket and signed the ballot, disproving allegations that he is trying to disqualify or otherwise influence someone else's ballot.
The ballot consists of these parts:
15; E; President of the United States; Frodo Baggins
74; Y; Shall InetVote be used exclusively in this state?; Yes
At any time, anyone may view any ballot by specifying the Ballot Ticket. This access is only productive for the voter himself, to verify that his ballot was not altered fraudulently. After the election, anyone may download all the ballots. There should be exactly as many ballots as voters who were issued ballot keys. However, a few voters may accidentally destroy their keys with no backup, or may break off and not complete the voting process due to some personal emergency. Thus, the count of issued ballot keys should exactly equal the number of voters tagged as having voted.
Command line to create a self-signed certificate:
openssl req -new -newkey rsa:2048 -sha256 -x509 -days 3700 \ -out eboard.crt -keyout eboard.key -nodes
Sample responses for the subject of the above key:
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Sasquatch County Organization Name (eg, company) [Internet Widgits Pty Ltd]:Election Board Organizational Unit Name (eg, section) []:Election of 2004-11-02 Common Name (eg, YOUR name) []:James F. Carter, Chairman of the Election Board Email Address []:helpdesk@eboard.sasquatch.ca.us