Re: Spec for anonymous voting



On Thu, 2005-06-02 at 09:05 +0200, Vincent Untz wrote:
The elections committee generates a unique token for each foundation
member, and sends them an e-mail to their account with instructions how
to vote [1].

One problem here, as you noted later, is that the e-mail could be
intercepted. A possible solution would be that the member goes to the
secure website, logs in and click on a "Get token" link. The token
could be pregenerated (as in the current proposed solution) or generated
at this moment (but in this case, we can't sign the token with a private
key).


One problem here is, how would the foundation member 'log in' to the
secure website? AFAIK, there are currently no authentication tokens
stored for the foundation members (or are there?).

The closest thing that I know we've got is that some members may have
'SSH' keys in the LDAP server that authenticate them to our CVS server,
but not all members, and SSH keys aren't that much good in the context
of authenticating users to websites :( A handful have pserver passwords
too, but they aren't much use either.

I suppose one possibility would be that we could provide a simple
terminal/curses-based interface, and have people SSH in and request a
token, which can then be used for subsequent operations (maybe via a
secure website). Then we just need to get the remaining foundation
members to establish LDAP accounts and/or their SSH keys. User #3 is
still going to need a bit of assistance in this case, methinks :( I
don't much like this idea, it's messy, but it's a possibility.

While public key cryptography in GNOME doesn't come with an easy UI,
perhaps we should consider just storing a simple MD5 (or whatever)
hashed password against the member's entry in our LDAP database. Even
user #3 could probably manage to use 'openssl passwd' (or we can set up
a simple wrapper script on a secure site) to generate a hashed password,
which they can send (plaintext, even) to 'accounts gnome org'. Accounts
do a quick round-trip verification, and install the password. The user
can then use their password to authenticate themselves as a foundation
member to a secure site (so the prehashed password isn't transmitted
on-the-wire in plaintext), and use scripts on the site to vote (or
generate a token to vote, or even update their contact details, or list
their LDAP information and group membership or whatever).

Obviously, when public key cryptography becomes easier and more
standard, and the relevant client/server authentication mechanisms
evolve to support it, we can and should reconsider the situation.

I think we should avoid using e-mail as a mechanism for
foundation-related requests/responses. Safer to use a secure site.

Just thinking aloud :) Good work, fellas.

--
Ross




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]