Assurance

["Michael W. Brogan" <>]

There are several places in IAP v1.1 where “industry standard” crypto is specified. Having a reasonable understanding of the term seems important when making statements about compliance to the IAP.

 

In local discussions I’ve encountered a range of interpretations.

 

One interpretation states that any crypto used in a widely deployed product is “industry standard” because the broad installation base of the product makes it a de facto industry standard.

 

Another interpretation is that “industry standard” means the crypto meets some standard for resistance against current threats that is certified by a government agency (e.g. NIST) or is generally deemed of equivalent strength. Algorithms that have been deprecated for years would be excluded from the “industry standard” list. IAP v1.0 specified NIST-approved crypto but this was changed to “industry standard” in v1.1.  I’ve assumed the goal behind this change was to maintain cryptographic strength but to provide implementers more flexibility in choice of algorithms. Was that the case?

 

Anyone want to offer interpretations of “industry standard” crypto from their own campus assurance work?

 

Michael W. Brogan

University of Washington