As it is imprudent to give personal information to untrusted agents on the web, you may wish to use an alias for this demo. The following National Identity Card has been issued for your use, containing a unique identifier. Alternatively you could use some other identifier which is unique with high likelihood.
United States of America
National Identity Card
This card certifies that
(Fill in name here)
is a citizen of the United States of America.
Unique identifying code:
The product of this form is a script (program) which uses OpenSSL to create your first secret key, and creates a request (PKCS#10 file) that the Registrar of Voters sign the X.509 digital certificate that goes with that key, which proves that whoever can wield that key has the right to receive a ballot in the election.
When the script comes back, save it to a file on disc; do not let your web
open (execute) it. Put it in the same folder (directory) where
you saved the File Signing Script in the previous step.
Once you have saved the script to a file on disc, proceed to the next step, where you execute the script and send in the resulting Certificate Signing Request.
Both Microsoft Internet Explorer® and Netscape® (and its various clones such as Mozilla, Opera and Konqueror) have different procedures to induce the web browser to do what the script does, create a secret key and a Certificate Signing Request, and to automatically send in the CSR. However, there is no provision to sign an arbitrary file such as your ballot, so it's necessary to get the voter to do this using OpenSSL. The procedure to generate the CSR is extremely vendor-dependent and extremely poorly documented, plus it is completely impossible for a security-conscious user to audit what is happening. Thus, I have chosen to do the whole process via OpenSSL.
Registration is the point where cheating is easiest, both in the conventional manual system and in this internet-based one. There are four types of cheating: false naming, graveyard voting, identity theft, and multiple registration.
The cheater makes up a totally
fictitious identity. In the manual system he can then
identity's right to vote by making a manual signature under penalty of perjury.
The Registrar of Voters rarely checks if the voter exists until an election
is disputed, and then it is very laborious to do the checking manually.
Falsely named voters are common in elections.
With InetVote, the cheater has to actually construct a complete false identity by obtaining a name credential (typically a drivers license) plus an adequate pattern of residence credentials which have to be rented or paid for. A forged drivers license will not do; the Department of Motor Vehicles has to actually tell the Registrar of Voters that the drivers license is valid. The accounts used as residence credentials have to be maintained from the time of registration until after any disputes are resolved, since the Registrar of Voters can, and probably will, check them repeatedly. This can be done for one or two identities but is prohibitively time-consuming and expensive in the quantities necessary to influence an election.
The cheater locates an identity who is currently registered but whose qualification has lapsed, typically by being deceased, but also by moving out of the district. In the manual system the cheater need not re-register the victim; he can simply forge the person's signature to receive a ballot. If the cheater supports the dominant party, in some jurisdictions scrutiny of the signatures will not be too energetic.
With InetVote, the cheater will not have access to the decedent's secret key, and therefore will need to break the decedent's registration and then re-register him, converting the issue to identity theft. Unfortunately, a claim that the secret key was lost is all too plausible.
In the legal system, a manual signature under
penalty of perjury is considered to be
proof, and the cheater can easily
subvert this low standard to insert his own forgery as the signature of an
existing person. The less likely the victim is to vote (e.g. if deceased), the
less likely that the fraud will be discovered when the
same person tries
to vote twice.
With InetVote, the cheater needs to know the document or account numbers of the victim's name and residence credentials. With modern privacy laws this information is not available in bulk, though the low standards for its stewardship make identity theft reasonably possible.
A person should vote only in the jurisdiction of his principal residence. However, he may be registered in multiple places and may cheat by voting in all of them. In the manual system it is practically impossible to detect multiple registration.
With InetVote, the name and residence credentials must be valid and up to
date in all the jurisdictions, which is difficult unless the cheater actually
resides in each one simultaneously, e.g. owns a ranch in Ventura county and a
beach house in San Diego county. Then, the question becomes which one is the
principal residence. Maintaining multiple residences is expensive. For
a cheater of ordinary means, who is simply lying about residing in the
jurisdiction, this issue degenerates into the false naming case, except that
the cheater's name credential(s) may truly be valid in all the jurisdictions.
The list of registered voters is public record. If there were a statewide or nationwide information exchange where all such lists were merged, multiple registration would be much harder to perpretrate.