Separation of Duty Principle

Abstract

In Chap. 9, two existing remote electronic voting systems are analysed (the POLYAS system and the Estonian system) according to the evaluation framework presented in Chap. 8. In terms of a proof of concept it is shown that the framework is suitable for remote electronic voting systems and flexible enough to cover arbitrary systems. In addition, according to Chap. 7, the Common Criteria Protection Profile overcomes the identified vulnerabilities from existing requirement and evaluation documents because

• it is based on a standardised, consistent, and exhaustive list of requirements,

• the Common Criteria is an internationally accepted evaluation standard (ISO 15408) that strictly guides the evaluator with the Common Evaluation Methodology, and

• the Common Criteria is flexible with respect to different trust models and different evaluation depths.

However, the Protection Profile only considers two aspects of the trust model, assumptions to the environment and the intruder’s technical capability. Therefore, in this chapter, the third aspect of the trust model – who can be trusted not to maliciously cooperate with others – takes centre stage. It is shown that this aspect cannot be integrated in the Protection Profile without losing the flexibility to meet different implementations of remote electronic voting systems.

Thus, an independent evaluation methodology to measure the separation of duty level for remote electronic voting systems is presented: the computation of the k-resilience value. This approach is exemplarily applied to some aspects of the POLYAS system and the Estonian system.