Itsecurity laws should be about responsabilities and general technigues and functionalities one should use, nog about specific tools or protocols to do these things.
This says one of the most respected ITsecurity thinkers for the moment (but please don't make a guru out of him, I think that if you read his blog you see that he is doubting all the time what he is writing which makes him a great thinker and not a guru)
``Once a law mandates specific technologies such as protocol, applications or software, innovation stops. Companies know they will be okay as long as they do everything that the law says, and they will not figure out ways to make things more secure.
``Once visiting Canada, my credit card number was stolen and criminals had attempted to withdraw money from it. It took Visa just half an hour to cancel my cards, as they have their own system to look for signs of fraud, authenticating transactions rather than just the user of the card, and I was impressed.
``Force the credit-card companies to be liable for fraud, tell them `you can use any technology you want because fundamentally this is your profit and this is your loss.' Korea seems to have it the other way around.''