As I was browsing through India’s e-governance standards portal (on which I have to commend the designers, they used Plone as a Content Management System, rather than the ASP/J2EE custom built crap), I couldnt help but notice that not a single draft is up for review. In case, you follow a difficult set of steps, you come at the only standard which has been published:

Institutional mechanism for e-Governance Standards formulation version 1.0

Which is, of course, a standard to make e-governance standards!

This is highly delplorable considering that this covers areas like Information Security and Cryptographic standards. Security through obscurity never works.

Consider the way that cryptographic standards are set in the USA, which takes place through its parent body - National Institute of Standards and Technology. It makes its publications available online at its portal in a very transparent, searchable manner. But that is not the best part :

• It publishes all its drafts.
• For determination of cryptographic and information security standards, it uses a public competition and peer review process, during which, academics and professionals compete to come up with the best cryptographic standard. One such competition is underway to determine the next version of the digital hashing standard, a key piece for the e-commerce industry. Previously, the AES standard for cryptography came from arelatively unknown researcher, who beat stalwarts like Shamir and Rivest for the win.

Not only is India’s method highly bureaucratic, it is extremely scary, considering most of information security malpractices stem from insiders. It is not a bad idea to mirror the American cryptographic standards, if we do not have the resources to pull off a competition.

Babu-inspired cryptography is something to be afraid of - I guess it is time to file a Right-to-Information petition for the release of these standards.