It is interesting to note that the Government of India's Department of Engineering and Information Technology has issued National Encryption Policy for public comment. And today the first addendum for the same has been issued for the people to refer to. However, when it comes to the overall policy, it has been left out pretty lopsided. When I say Lopsided, I mean from the subjectiveness & perspective dependence that has been maintained throughout the Policy.
I would not get into those micro level details where the industry's who's who is making some or other comment on the types of services that would be covered and the type of data user as well as business would need to be retained for 90 days. That's a very low level speculative inference that would differ from person to person and from perspective to perspective. My initial view was same and I also took to twitter for that :)
What my assessment of the Policy is the lacuna that is maintained by not aligning it to the industry standards and not basing it on the prevailing trends. For that matter, one of the key aspect that I find missing is the way the Committee should have taken cognizance of the "Heart Bleed" as well as "Poodle" vulnerabilities that led to the demise of SSL as an Encryption Standard. It should have been noted that the PCI-Council has declared that SSL is no more a supported standard for encryption and that TLS 1.2 is the deficto standard until next such notification. Indian National Encryption Policy has this void in it to align itself with the latest, thought he vision and mission state so. The policy goes anywhere else than stay around the vision and mission.
I am surprised to actually read the reference of SSL in the Policy at the time the world is moving to TLS 1.2 and the bigwigs of industry have already moved to the other side of adopting TLS 1.2. Moreover, TLS 1.3 is already being eyed as it is slated for release by next year. We have already seen the advent of SHA3 earlier this year and the Policy still sticks around to 3DES and RC4. It needs to be noted that RC4 already has been vulnerable to attacks and can be actually be used to get some hand on the information encrypted using the encryption standard (Read - Article on Security Week - Dated March 2015). Moving on to the 3DES, it is not at all considered strong enough to protect the data and when the Target Breach happened, it was identified that 3DES was deployed and there was a lot of scrutiny on that move as to when AES was available why 3DES was used?
So, when the industry is basing their opinion on the micro issues of what to store how to store, where to store and talking about the data security & integrity from a different angle, my real concern is the coverage of obsolete standards and technologies as part of the overall Policy and basing the policy on those obsolete standards and technologies. I am not sure why the Trade Pundit's or the bloggers in social media have not raised this issue till now.
Certainly, in its current format the Policy itself would be obsolete in not more than 6 months and that would call for next round. But would DeitY listen to the Gen Next or are we still going to hear from the "Experienced" folks who missed to evaluate the latest and greatest developments??
Would you hear the voice of Young India or would this also go the TRAI way???
